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A View on Mega Trends 

(Abridged Version) 


Abstract 


The pace of scientifically driven change across key sectors is accelerating. Many of these evolving 
technologies interact and may also be interdependent. The rate and impact of technological advances 
and interactions are often misunderstood or underestimated. Organi2ations—faced with time, money 
and people constraints—will struggle to make effective planning and investment decisions. Meant as a 
backdrop for CSE senior decision makers, this paper aims to provide insights into the interconnected 
nature of key technology, economic and societal trends across a range of sectors. While these "mega 
trends" have been considered in the context of Canada's cryptologic rirlission, other departments and 
agencies are also likely to be affected by their introduction, adoption and evolution. 


Introduction 
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The future will continue to be shaped by th^ jconvergence of.tedinology advance, financial, political, 
societal decisions, demographics, as well as unap^^^^^ man-made and natural crises. In the wake of 
recent financial recessions and terrorist acts, we ni^ bg predispoS^d to consider the future in a 
negative context. History, however, has proven that sociefies are resilient and that economic bust cycles 
are temporary, almost alw^sfojldvyed by a boom cycle triggered by newTdeas and innovation (e.g. 
Roaring Twenties, Silent generation's bull markef jjil^p/i960s). Boomer's boom (1980/1990s), Gen X's 
bubble and bull market (iOpOs)). This diagnostic palnl? a future where the next anticipated cycle will be 
spurred by the millennial geheration who, raised in atjechnically rich environment, have the potential to 
launch the next industrial revolution andfereate an ecdpomic boom rivaling—if not surpassing—the one 
created by the outgoing Boome'irs. ' ; i 

Against this assumption, this document considers the following mega trends over the next five to fifteen 
years in the context of a preferred futureiS 

The Coexistence of Security;;jPrivacy and Trust for On-line Activity; 

The Evolution of the Canadian Economy Toward Knowledge-Based Sectors; 

The Advent of Bldckchain Technology and Cryptocurrency; 

The Fourth Industrial Revolution, including Artificial Intelligence; 

The Rise of Millennialsand Aging Boomers; 

The "New Normal" of Ubiquitous Encryption; and 
The Rise of Quantum-Related Technologies. 


The preferred news headlines presented at the end of each section are illustrative only and do not 
represent current or proposed policy outcomes. 
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Trend 1: The Coexistence of Security, Privacy and Trust for On-line Activity 

Renewed dialogue on privacy and security has been spurred by recognition of the vulnerability of on-line 
communications. Increasingly, mainstream media is reporting on cyber threat activities directed against 
individuals, governments and critical infrastructure. Unauthorized disclosures of intelligence activities, 
private sector monitoring, leaks of personal information through corporate data breaches, identity and 
intellectual property theft, ransomware and other cybercrimes have all contributed to a growing public 
consciousness of the need for cyber security. This growing awareness has also been driven by the 
widespread adoption by Canadians of digital and increasingly connected technologies. The ubiquity and 
capacity of technology have created an environment where vast ambunts of personal and otherwise 
valuable corporate data and intellectual property are, by default, stored on-line. 

Various aspects of personal security are becoming more mainstream cbpcepts and increasingly 
accessible through on-line services and applications.:^Mine anonymity is achieved when one's real 
identity remains hidden, for example, by using TheQhion Router (TOR) or low i[t|ribution networks, 
obfuscating IP addresses, or paying for on-line servicbS with a cryptocurrency (eTg., Bitcoin). On-line 
privacy is achieved by having the means to protect activity, information and data, aBdmevent it from 
being accessed by others; this can be achieyed by using ehf-to-end (e2e) encryption, virtual private 
networks (VPNs), and through legislatiOfija^ policies for strong data protection. Other protection 
mechanisms, such as "differential privacy tectlrtbjqgy" already in^$e by companies such as Apple and 
Google, aim to gather data and analyse usage pattefi^iwithout compromising privacy. 

An emerging awareness of the tyb^r threat, coupljed of digital connected 

technologies have precipitated the br^^d avallabrt^^^f^mme^il^cryption products, commercial 
services and privacy-enhancing technologies for pfbt^aing on-line activities with enhanced security, 
anonymity and privacy. Thi^ has prompted debate ofthpw national security and privacy can co-exist, and 
how trust can be enhanced among technology users, communications service providers and government 
security and mtefligence agencies, fe 

Going forward, the debate over privacy versus national security (e.g. Apple vs. the US Justice 
Department) is setting the foundation, through the Digital Equilibrium Project, for the creation of a 
digital constitution led by technology firms, top US national security leaders and privacy advocates. The 
rule of law should continue to be relied upon to regulate the actions of the state In circumstances where 
the privacy of individuals may be implicated, despite the fact that technology is having a disruptive 
influence on this dellcate bolance. W need to find ways in which technology can address the privacy 
concerns of the individual Wimout pre-empting the ability of the state to enforce public safety interests, 
where and as appropriate. 


However, security, privacy and trust of the entire community make the technical expertise that can be 
offered by federal organizations of value in establishing privacy and information security mechanisms 
that are also technically trustworthy from a cyber-security perspective. The public will look to the 
government to play a key role In defining standards and building trust in the technology that underpins 
society and commerce. 


Preferred news headline; "Government of Canada systems ranked best in world for the privacy 
protection of citizens' information." 
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Trend 2: The Evolution of Knowledge-Based Sectors 

Canada's natural resources and energy sectors have been challenged by the recent global recession. The 
impact of low oil prices can be seen at a macro level through production cutbacks and revenue loss, 
currency fluctuations and debt levels, and felt among some Canadians through greater personal debt, a 
higher cost of living, flat wages, and growing challenges in repaying loans and mortgages currently 
estimated at a collective C$107B. 


On the broader financial front. Standard & Poor's Index (S&P) in the US and the TSX in Canada are at the 
same levels as early 2014. While some economists push for government-sponsored stimulus injections, 
others are cautioning that markets would benefit by remaining istQtic for the next decade. Among 
curious emerging trend (Japan, Sweden, and Denmark) is Negative Interest Rate Policies (NIRP), or 
savings accounts that charge interest and present the potential to distort the financial system, prompt 
individuals to hoard cash and deal unexpected consequences for the ecbnorny. 

Looking ahead, world economies that have thrived by relying heavily on the extraction, transformation 
and use of natural resources, manufacturing plants, transportation, classical banking,,^are increasingly 
embracing the power of knowledge-based sectors. This includes leveraging the convergence of 
information technology and operationTe«B;ho|pgy (lO/OT), financial technologies (FinTech), through 
automation, innovation, living labs, smart eiflesvinitiatives and leveraging clean renewable sources of 
energy. ■%, 

In increasingly competitive gipbaff njarket scenarios, states* organizatioiisiind individuals will 
aggressively target ernerging expertise and intelle^ual ptoperty^Wpnging to others with a view to 
prosper or simply keep d |3 with the knowledge ecQnqynV. This information, most of which will exist 
beyond government networks in electronic format, Wftl be a highly valuable commodity. Its storage will 
create new threat vectors to ManageJartd;will need to t)fe.protected by robust cyber security measures. 




Preferred news headline! "( 3 /obo/ ert^ lines up to buy Conadion renewable energy technology." 








Trend 3: The Advent of Blockchain Technology and Cryptocurrency 




Payment processing betvyeen a payer, several middle institutions and a recipient has always represented 
a significant source of revenues for|he financial and banking systems. But despite an estimate of $1.7T 
(trillion) in revenues these system considered highly inefficient due to heavy regulations, complex 
governance models, the number of parties involved, transaction delays, and the rising cost of integrating 
technology in a centuries-old system. Such inefficiencies have enabled the rapid rise of financial 
technologies (FinTech). 


FinTech is a disruptive and collective line of business featuring companies that use blockchain (BC) 
software to provide financial services via a distributed ledger that maintains a linear, chronological and 
continuously growing list of data records (blocks) where each block contains Information about a 
transaction and a timestamp linking it to a previous one. Blockchain is designed to record digital 
transactions in a way that is secure (encryption), reliable, available, distributed, transparent, immutable, 
irrevocable, auditable, and efficient. Blockchain technology allows people (and machines) who don't 
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know each other to trust a shared record of events anywhere, anytime. The best known use of 
blockchain technology is cryptocurrencies, such as Bitcoin, Ether and LiteCoin and applications that 
enable peer-to-peer lending. 


Global FinTech investment has already surpassed $12B, with 42 of the world's largest banks in consortia 
to design and build blockchain solutions. FinTech is not only eroding banks' market shares, but 
positioning to be the backbone of all transaction-based industries. By simplifying business models, 
improving efficiency and reducing costs other industries have started to adopt the technology: NASDAQ 
market exchange pilot, IBM and Samsung proof-of-concept which demonstrate how blockchain can 
support Internet of Things (loT) applications, transactions processing and how it can foster coordination 
among multiple devices. 


It is estimated that by 2025,10% of global GDP will be stored oh a blockchain network. While some 
countries may prohibit the use of blockchain-based cryptocurrencies, Qhina is looking to establish one 
for routine commerce. Blockchain has much to offer to cither industries including retail, supply chains, 
accounting and auditing, government services, digital klentities, health records, electoral systems, real 
estate and land titles, loT communications, smart cities, and the protection of critical infrastructures 
against cyber attacks. Perhaps one of the key challen^^, as stated earlier, is that blockchain could allow 
individuals to function outside an environment governld by policy. Given such challenges, a non-profit 
open-source development effort calleddtfe Hyperledger Project is demonstrating that users should be 
able to safely share their data using a nfeubi:ai.:,system instead of keeping it locked away inside private 
systems. Furthermore, this effort has the I6nger!||l^ benefit df^§blishing a trustworthy digital 
infrastructure that doesn't centralize powefcwjth C)h®^gd)prity. If a|rte right, blockchain could become 
the plumbing for all transaction^ased systentS;;^ 




Preferred news headline; "Corroc/o p^gto/jo/ Fintm 
blockchain-based crypiocutrjency.' 


Trend 4iiThe Fourth Industrial Revolution 



f withUdoption of new secure. 




While cyberspace and social media have grabbed global headlines in recent years, a major technology 
cluster will haye an even more seismic impad: in coming decades: the Fourth Industrial Revolution (4IR). 
The 41R Is composed of developments in artificial intelligence, cognitive technologies, advanced 
robotics, nanotechnology, augmented and virtual reality, additive manufacturing (3D-4D printing), 
Industrial Internet of Things, biotechnology, genetics, and augmented humans (neuro and bionics). 
We are just at the beginning of the 4IR and these technologies will build on and amplify one another to 
allow for exponential innovation, development and growth. 


The future of artificial intelligence (Al) can be broken down into three main categories: 1) Narrow 
Intelligence which seeks to execute specialized tasks such as speech recognition, conversation platforms 
(chatbots), the execution of specific tasks from managing calendars to controlling loT devices, etc. 
Current examples include virtual private assistant such as Siri, Cortana, Alexa, Viv and Now; 2) Artificial 
General Intelligence or Al that's at least as intellectually capable as a human which alms to replicate 
many aspects of human cognition (2030-2040); and 3) Artificial Super Intelligence, the singularity or Al 
that is smarter than any human (2045-2060). Known for its performances on the television game show 
Jeopardy!, IBM's Al platform Watson has recently been 'hired' by the law firm Baker & Hostetler to 
handle their bankruptcy practice. Built on IBM's cognitive computer, the Watson Ross program is 
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considered to be the world's first Al attorney. IBM has also partnered with Softbank to explore the use 
of robot assistants in retail stores across the US. Other robotic initiatives include: the use of robot 
assistants to provide product information in Nestle cafes in Japan; and Lowe's and Best Buy in the US 
have robots that bring merchandise to customers who make a request via a touch screen. These 
examples show robotics with advanced machine decision making used in domains, until now, exclusively 
run by humans. Along those lines, the World Economic Forum (WEF) speaks to the possibility of Al 
sitting on a corporate board of directors within the next decade. 


Ubiquitous cognitive technologies (CT) will play an increasing crucial role by leveraging: machine 
learning (systems that can improve their performance without the need to follow programmed 
instructions); and natural language processing (machines that can process text, extract meaning and 
generating text like a human, as well as speech recognition, and the ability to automatically and 
accurately transcribe speech). Successfully integrating CT will irnprove core functionality, automation 
and the ability to generate new knowledge. CT may well help in fulfilling the 1.5 million open cyber 
security jobs projected to be required by 2020 by which time we can expect the majority of the world's 
largest enterprise software companies to feature integrated CT. ‘tf;:: 


The digital world is increasingly bleeding into the physical world. Augmented and virtual reality are 
taking lessons from the gaming industry and applying them to business (e.g., trainihg'and education, 
data visualization, healthcare diagnostids,:product demos, remote assistance, etc.). Digital can also now 
transition to the physical world through't^.u^ of additive manufacturing (i.e. 3D-4D printing). This 
technology will provide speed advantages to designjrnanufacture and test parts, thus 


avoiding long production cycles, and will hayean irnpact.p.n economies around the world. 


The Industrial Internet of Things (ItoT) will bring devic^ diploYrnent beyohd the current concepts of 
connectivity and remote:atcessibility,.lloT will be'^^pyed by a wide range of enterprises, government 
services, and municipalities through critical infrastoictures and smart cities projects to address relevant 
business, consumer and public needsv Interoperability^iysfill be the biggest commodity and information 
will be more valuable than the devices tHSmseives. A nagative downside to seamless interoperability Is 
the potential—indeed re^ platforms used in distributed denial of service (DDoS) attacks 

against crifrcal Infrastructure or other targeted on-line'services. According to media reports, the heaviest 
and mostStistained investments in loT technologies are made by China, India, Singapore and South 
Korea. ’ 


The implications across a range of disciplines are exciting and promise to bring profound change. The 
biotechnology, genetics, and augmented humans technology cluster spans wide and deep as research 
and development are expected to drastically change how we define humanity. With novel objectives of 
increasing quality of life and life through genome editing, these technologies will have a 

significant impact on physical arid cognitive capabilities and human-machine divide. 


That said, new technologies will bring new actors. These include state-run laboratories, corporate 
investors, DIY maker groups, terrorists and organized criminals that are competing to harness and 
leverage these technologies in pursuit of their interests. As a case in point, in order to drive China's 
future economic development their latest five-year plan (2016-2020) calls for investments in the order 
of US$40B on science and about US$35B in basic research. Priority areas include: neuroscience, genetic 
research, quantum communications and computation, clean energy sources, industrial, medical and 
military robots. 
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The broader risk implications from these technologies are many: increased susceptibility to 
cyber-attacks, difficulty in ascertaining attribution, facilitation of advances in foreign weapon (including 
biological and chemical) and intelligence systems, Al done wrong and related liability issues, breakdown 
of trust between individuals, the threat of unemployment, and the ability of policy and regulation to 
keep up. 


In the previous three industrial revolutions, human development advancements were likewise profound, 
but they also precipitated violent transfers of power. As noted in the World Economic Forum's report on 
this trend, "Technological Innovation will continue to influence how conflicts arise, who fights them, 
where they are fought and how they are settled. Breakthroughs in a range of technologies - from 
robotics to nanotechnology, artificial Intelligence, genome sequencing human advancements or meta 
materials - could destabilize security and shift balances of power/'.;ifr 




Preferred news headline: "Canada deploys a world-first drivirless ttonsportation infrastructure in key 


urban centres" 




Trend 5: The Rise of the Millennials and Aging Boomers 




Millennials are considered the world's sinartest and best-educated generation, representing a quarter 
of the global population and soon to rn.aJ<^qp half the worktdrce in developed countries. Millennials, 
raised in a technically rich environment,"aira Slrregdy influencirig our societies, including the development 
and use of technology, family and work erifironitiertts^ social prdgrarns, and the economy. 


Millennials are projecting dr ridlfig, the wave of Change and innovation. Cfbpr-like shared economy 
applications are impacted by the law of supply at^d^marid, are known to generate volatility, create a 
price race to the bottoirh, and significantly redefine tlteterm 'independent worker'. It remains to be seen 
how Millennials will react to having aril algorithm as biboss. 




Facing adverSty in a world heavily shap^ and Gen X, Millennials see careers, work 

environitilnts, and family^llfe very differently than previous generations. A recent study by Steelcase 
found tf^at the best way to ensure employees' engagement is to give them control over where and how 
they do their work, which may rrtean liberating them from having to do everything in collaboration with 
others, from the culture of meetings and potentially distracting open-concept offices. 


Going forward, perhaps the most palpable sign of change is the Millennials' ability to impose new rules 
for the development and use of technologies that enable a transition towards a sharing economy. The 
best disruptive example is yberjwhich completely revolutionized the personal transportation industry. 
But if past events are a sign Pf dhes to come, it is highly likely that even Uber will be forced to adapt its 
services with the introduction of autonomous vehicles. In the end, Millennials will be the architects of 
social, political and technological disruption, and organizations must not only prepare to adapt, but also 
to attract, hire and retain the wired generation that will innovate to shape our future. 


Preferred news headline: "Canada's public service riding innovation wove os top employer for 
Millennials." 
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Trend 6: The "New Normal" of Ubiquitous Encryption 


Encryption products are being adopted at a profound rate and influencing trends that deal with security, 
privacy and trust. Their rapid development and implementation come in the wake of increasing 
discussion about privacy protection in the wake of leaks by private sector players or media reporting 
about government security and intelligence activities. The recent Apple-FBI imbroglio has transformed 
the privacy debate into an industry vs. government standoff. In March 2016, several technology 
companies including Amazon, Airbnb, Cisco, eBay, Facebook, Google, Linkedin, Microsoft, and Twitter 
came together to publically support Apple in its ongoing encryption dispute with the FBI, seen as a proxy 
for intrusive state security actors. Privacy advocates and experts alike have publicly committed to 
develop encryption products that can secure information and stymie most nation state collection 
capabilities. Most services have already integrated some level of cryptographic features aimed at 
enhancing security and privacy, usually baked-in, transparent and simple to use, with end-to-end (e2e) 
encryption now the norm for communications (messaging Services, voice, video-conferencing, cloud 
services, blockchain technology and cryptocurrencies)!^^* 




But encryption is a complex task, based either on open or proprietary standards. The science behind 
open encryption standards has been publicly developed and tested, and is usually considered to be 
verifiable and trustable. In the case of proprietary technology, however, products are more likely to be 
the result of rapid prototyping, to use chi^^p^r or limited hardware components and to have less robust 
implementation. Still, foolproof encryptlimfscQmplicated by ttje:difficulty of controlling and 
implementing all aspects of a secure, end-tp-ehA e%irpnment. Thiibuman factor-convenience, user 
friendliness, time-to-market and weak impienientabon scpemes—fdf^ains likely to undermine the 
effectiveness of strong encryption.,ipr other security featu^il^;^ ^ 

Going forward, the Internet of Things (loT) promiseSlfexomplicate the prospects for encryption and 
security. Flardware limit^pns from processors, memory, and communications protocols are currently 
hindering the use, efficiency or mteroperabilty of encryption, and the possibility of implementation 
errors will piersist,.The development of next-generation encryption algorithms better suited for 
micro-corfiputing devices^may everitually enable the bring-your-own-device (BYOD) practice in the 
workplace that enables empipyees to connect to the organizations' network using their own devices. 

Preferred news headline: 'Vn-ifhitcommerce on the rise due to increased consumer confidence that 
transactions oreprfyote, secure, and trustworthy." 

Trend 7: The Rise of Quantum-Related Technologies 


At the heart of technology is the design and creation of machines. Machines must obey the laws of 
physics, until recently the predominant underlying theoretical foundation for virtually all of technology. 
But in the late 20th century, the miniaturization of computers began to produce devices whose physical 
size approaches that of individual molecules. To understand the behaviour of these devices, engineers 
have turned to the theory of quantum physics to explain the bizarre and counter-intuitive results of 
physics experiments involving extremely tiny systems and discovered that machines could be built to 
perform operations that were considered impossible In the classical sense. Emerging quantum 
technologies—including quantum computers (QC), quantum cryptography (Q Crypt), 
quantum-resistant cryptography (QR Crypt), quantum key distribution (QKD), and quantum 
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communications — each exploit quantum physics to provide more power and utility than classical 
technology. This new class of technologies is rapidly moving from the domain of academic research into 
the world of commercial technological application. 


Canada is home to many of the world's most respected researchers and institutions in the quantum 
space, including: The Perimeter Institute for Theoretical Physics; The Institute for Quantum Computing 
(ICQ) at the University of Waterloo; Quantum Valley Investments (QVI); The Institute for Quantum 
Science and Technology at the University of Calgary; The University of Montreal; The Center for 
Quantum Information and Quantum Control (CQIQC) at the University of Toronto; The National 
Research Council (NRC) new National Strategy and Quantum Lab; and^Vancouver-based D-Wave 
Systems Inc. and, to some degree, coordinated through the Natural Sciences and Engineering Research 
Council of Canada (NSERC). _ ; 


Going forward, while limited prototypes of quantum computer:^ haV^ been demonstrated, the biggest 
challenge is scalabiity. Companies like Google are investing heavily in QCrypt to secure communications 
and directly compete with Canada's D-Wave offering while at the same time developing QR Crypt 
algorithms that can safeguard against future QC capabilities (e.g. New Hope algprithm trial). It is 
generally acknowledged that quantum technology iis;still 10 to 30 years away frbrn providing the 
breakthroughs that would bring tremendous advantages from a security and a financial perspective. 
From another perspective, the advent pf-quantum computing would deliver the computational power to 
break all current cryptographic schemeS,';^^r0_i,threatens to render most of current encrypted 
communications readable. There is a preSSingii^fed;jto invest in tljppear term in quantum-related 
technologies that would both take advantage of the potential ecoiiOrpic and security benefits, as well as 
to continue to safeguard encryptpd communic^ions usedlby the Govlr-pbnent, Canadian national 
infrastructures and Canadians alike. ■ 

. 

Preferred news headlinet "Conodo experiences revi^^ brain drain as global quantum experts flock to 
Waterloo, a city referred to as QuanturnxYalley.'' 


Conclusion 




m 


Within rough'ly five to fifteen ySars, the megatrends presented in this paper are likely—both individually 
and in combination—to have a profound impact on Canada's economy, society and security. Indeed, 
these are global trends that will transcend Canada's border and influence the International community. 
Each of these trends brings promise and challenge, further compounded by the interconnectedness and 
interdependence of several key technology advances. Significant and sustained leadership, innovation, 
partnership and investment to navigate the complexity of the problem space, the 

accelerated pace of change within Canada's finite internal capacity. 


Follow on analysis in these and other emerging mega trends should be conducted to identify and 
validate: 

• the level of awareness of emerging and disruptive technologies; 

• the risks associated with any related national security implications; and 

• priority areas for further work including strategic assets, technologies and knowledge that will 
provide the foundation for Canada's future security and prosperity. 
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Executive summary 

In October 2010, the Government of Canada published Canada's Cyber Security 
Strategy, acknowledging the omnipresence of digital infrastructure, as well as the new 
vulnerabilities that go along with this technological development. Because of the 
constant innovations that characterize the digital sector and to respond to them in an 
appropriate manner, any cyber security strategy must be accompanied by a foresight 
exercise intended to anticipate emerging technological, cultural and criminal trends. 

This report identifies nine emerging technological trends based on 21 technological 
foresight documents published by various specialized businesses and public agencies. 
These trends bring together technologies with the potential to initiate lasting 
transformation in the digital ecosystem, which we define as all of the infrastructure, 
software applications, content, and the social practices that determine how the 
ecosystem is used. The notion of an ecosystem allows us to examine in an integrated 
manner the interactions between the technical, economic, social, political and legal 
dimensions of this complex assemblage. 

These nine trends are as follows: 

1. Cloud computing 

2. Big data 

3. The Internet of things 

4. Mobile Internet 

5. Brain-computer interfaces 

6. Near-field communication (NFC) payments 

7. Mobile robots 

8. Quantum computing 

9. Internet militarization/weaponization 

The characteristics and development drivers of each of the nine trends were analyzed 
by reviewing the scientific literature and the content of Web sites that specialize in new 
technologies. The degree of maturity and adoption among professional users and the 
general public varies widely from one trend to another. While cloud computing and the 
mobile Internet are already part of our daily consumer lifestyle, quantum computing 
remains at an embryonic stage of theoretical development and practical applications 
will not reach the market for at least about ten years. Several distinct categories of 
development drivers were identified, in particular scientific, industrial, economic, social, 
legal and strategic drivers. Finally, each trend was analyzed for its cyber security 
implications. The most frequently appearing implications include the increased number 
of opportunities for malicious attacks, the lack of consideration for security needs 
during the development of the technologies in question, even when these technologies 
are used to carry out financial transactions, the dilution of mechanisms for controlling 
system integrity because of the ever-increasing interconnection of machines, or the 




erosion of user privacy, including personal information that represents an irresistible 
source of added value to organizations. 

A few of the following themes that appear common to all nine trends are also 
mentioned in the conclusion: the interdependence of the technologies examined, which 
will require the implementation of integrated security policies to prevent a 
counterproductive fragmentation of resources; the expansion and diversification of the 
digital ecosystem, which will also require sophisticated coordination policies; the 
transformation of the notion of privacy; the convergence of the problems of cyber 
security with those of human security; the indispensable balance between having 
adequate cyber security and maintaining the economic and technical competitiveness 
that depends on a certain regulatory freedom; the risks of groups of individuals 
adopting self-defence practices in the event states fail to provide security; and finally 
positive contributions of the nine trends to cyber security. 

The following five recommendations that follow in the last section serve to convert the 
findings of this report into concrete actions: 

1. Develop and deploy permanent monitoring procedures and tools, the purpose of 
which will be to monitor the development of the digital ecosystem by surveying the 
various actors and interactions, and to assess the effects of these transformations 
on cyber security. 

2. Align the regulatory regimes applicable to the various infrastructures, 
applications and content with the resources and strategies implemented by a 
growing number of government actors, as well as their private partners, in order to 
quickly detect emerging digital risks and limit their impact on a constantly evolving 
ecosystem. 

3. Initiate an in-depth consultation and reflection exercise to formulate proposals 
on how to restructure existing government institutions or create new ones to adapt 
the Canadian government's intervention and coordination abilities to the new 
needs. 

4. Intensify empirical research on the transformations of risks, standards and 
practices associated with privacy protection in the digital ecosystem. 

5. Accentuate coordination and knowledge-transfer initiatives of national and 
provincial authorities in order to accelerate and standardize the development of 
local capabilities. 
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Introduction and background 

In October 2010, the Government of Canada published Canada's Cyber Security 
Strategy, acknowledging the omnipresence of digital infrastructure in the daily lives of 
users, businesses and public institutions, as well as the new vulnerabilities that go along 
with this technological development. 

Because of the constant innovations that characterize the digital sector and to respond 
to them in an appropriate manner, any cyber security strategy must be accompanied by 
a foresight exercise intended to anticipate emerging technological, cultural and criminal 
trends. The pace of innovation in the digital sector is mostly attributable to the 
frequency at which disruptive technologies appear and constantly redefine the 
properties of this market, exploit new opportunities in less-dynamic markets, or simply 
create new markets. The term "disruptive technology" was first used by Clayton 
Christensen (1997) to analyze innovations that do not simply improve the performance 
of existing technologies (these innovations are called sustaining technology), but that 
instead define entirely new products or services to meet unsatisfied needs, and 
consequently make a lasting change in the technological landscape into which they fit. 
However, this idea of disruptive technology can be applied to any field of activity and 
does not by itself explain why the digital sector is so fertile in this regard. 

Instead, the work of Yochai Benkler (2006) on the wealth of networks allows us to 
understand why this sector seems embroiled in a permanent revolution. Benkler 
postulated that digital technologies are at the root of a new information ecosystem, the 
key property of which is that it would be much less exposed to financial constraints than 
its predecessors. While in the industrial era, a concentration of capital was once 
required to produce and distribute information, the radical decentralization facilitated 
by contemporary technical and social networks would lower the cost of entry - and 
therefore innovation - for new actors in the digital era (Benkler, 2006: 32), which would 
therefore favour the emergence of disruptive technologies at shorter and shorter 
intervals. 

Combining these two streams of thought appears particularly stimulating, since it allows 
us to consider forms of spontaneous innovation coming from users themselves or from 
actors considered to be marginal, such as fraudsters, hackers or hacktivists. The 
proliferation of disruptive technologies will reportedly therefore increase the number of 
breaches (Killias, 2006), which would then be exploited by offenders without being 
detected by the authorities for some time, before leading to more systematic police and 
legal responses once a given threshold of severity is crossed. 

We will therefore try in this report to identify, based on disruptive technologies that 
should mature over the next ten years, which breaches are likely to affect the cyber 
security of Canadian citizens, businesses and institutions. This approach therefore 
concentrates on the medium-term development of the digital ecosystem and on the 



adaptations it will provoke in offenders, rather than on hazardous predictions based on 
the current state of cyber crime. 

Methodology 

Nine socio-technical and socio-economic trends were identified based on a review of 21 
technological foresight documents published by companies such as Gartner Research, 
IBM or PricewaterhouseCoopers, and public agencies such as France's department of 
industry or the United Kingdom's Foresight Horizon Scanning Centre, which have 
developed international expertise in this field. The list of the foresight documents or 
sites can be found in Appendix 1. 

These trends bring together emerging technologies with the potential to cause lasting 
change in the digital ecosystem, which we define as all of the infrastructure, software 
applications, content, and the social practices that determine how the ecosystem is 
used (and by extension monitored). The notion of an ecosystem allows us to examine in 
an integrated manner the interactions between the technical, economic, social, political 
and legal dimensions of this complex assembly. Each trend involves disruptive 
technologies that are on converging paths, all made possible by scientific breakthroughs 
or new ways of combining or using existing technologies. These are not purely 
functional general trends, such as "convergence of infrastructures" or "personal 
identification and authentication" (Cave et al., 2009; 5), but rather socio-technical 
developments that are well defined enough to match up to industrial and business 
actors and to have obviously identifiable legal or illegal uses. 

The nine major trends were ranked based on frequency of appearance in the foresight 
reports. Those trends subject to a broad consensus or that seem closer to reaching 
maturity are at the top of the list: 

1. Cloud computing - 15 mentions 

2. Big data - 12 mentions 

3. Internet of things - 9 mentions 

4. Mobile internet - 7 mentions 

5. Brain-computer interfaces - 7 mentions 

6. Near field communication (NFC) payment - 5 mentions 

7. Mobile robots - 3 mentions 

8. Quantum computing - 3 mentions 

9. Internet weaponization^ 


‘ This last trend is mentioned in none of the 21 reports, which concentrate on technological innovations, 
but the trend flows from our observations and the increasingly numerous disclosures of informabon 
regarding initiatives taken by states in this field. It therefore seems to merit a place in this foresight study. 






Once these nine trends were identified, more systematic research was carried out for 
each trend in the main scientific databases that serve the following four disciplines: 
computing, criminology, sociology and management. The databases consulted included: 
ProQuest (1,560 journals), Factiva (31,000 information sources), Web of Science (ISI) 
(8,500 journals). Business Source Premier (EBSCO) (1,125 journals), ScienceDirect (1,700 
periodicals), SpringerLink (1,250 periodicals), NGRS (210,000 indexed publications on 
criminal justice issues) and SSRN (665,000 scientific articles in pre-publication). These 
databases were consulted using the Maestro meta-search engine developed by the 
University of Montreal. Specialized Web sites on emerging technologies and the analysis 
of their social implications were also consulted, including Wired, ArsTechnica, O'Reilly 
Radar and the MIT Technology Review, to name but a few. 

This report will present for each of the nine trends the elements that seemed to be the 
most significant ones in the texts consulted. Each trend is first given a brief technical and 
background presentation that traces its origin (if there is a consensus on its origin) and 
the primary stages of development. Recent developments regarding the trend are then 
described, whether technological breakthroughs accelerating its development and 
commercial applications, major investments by public or private interests, or new social 
behaviours that support a very wide distribution of the technology among users. The 
presence or absence of the primary drivers^ that seem to influence the trends identified 
are then examined to understand the social needs, economic conditions, government 
decisions or development of new scientific knowledge that could accelerate or 
decelerate the emergence of these technologies. Finally, an analysis of the cyber 
security implications concludes the study of each trend, whether about the appearance 
of specific vulnerabilities easily exploitable by offenders or about more general issues in 
terms of regulation of the actors directly or indirectly responsible for digital 
infrastructure security. 

This methodology was optimized to meet stringent time and resource constraints, which 
explains in particular why it is based exclusively on documentary data. The methodology 
developed by the Rand Corporation to anticipate the impact of new technologies on 
international affairs out to the 2020 horizon is a much more costly alternative, but it 
more systematically develops in-depth knowledge of the impact of these technological 
trends. A separate numbered indicator rates each trend for technical feasibility 
(probability that the technology can be commercialized), ease of implementation (net 
difference between non-technical drivers and barriers to implementation, such as 
demand, procurement cost, public policies, infrastructure needs and the regulatory 
framework), and the degree of take-up (global or moderate). The score for each trend is 
then weighted by country to reflect the differing capacities of each nation to 
appropriate emerging technologies to resolve economic, political and social problems 


^ Silberglitt et al. (2006: 41-54) identified 10 major drivers that influence most technologies: cost and 
financing; laws and policies; social values, public opinions and politics; infrastructure; privacy concerns; 
resource use and environmental health; research and development investment; education and literacy; 
population and demographics; and governance and political stability. 




(such as sustainable development, energy independence, public health, maintenance of 
credible defence capabilities, etc.) (Silberglitt et al., 2006). A similar methodology 
adapted to issues of cyber security and updated regularly every five years would 
certainly produce better-supported predictions and more reliable classification of trends 
likely to generate profound transformations. 

Finally, we would like to warn the reader about the hypothetical nature of the 
transformations presented in the following pages, since disruptive technologies are by 
their nature difficult to anticipate. Since the objective is to survey the trends that will be 
decisive over the next ten years, it would be unsurprising to find in this study arguments 
that prove to be speculative, despite being inspired by the work of reputable 
researchers who publish in peer-reviewed Journals or universally recognized experts. 




Cloud computing 

There is no consensus on the appearance of this term in scientific language 
(Choo, 2010). Some consider that it was first reportedly used in 2006 by Eric Schmidt, a 
senior leader at Google, while others suggest that this terminology was used during the 
1990s by the telecommunications sector when virtual private networks (VPNs) were 
created to make data transfers more efficient. The concept of Software as a Service 
(SaaS) also spread quickly starting in the late 1990s without the term cloud computing 
being attached to it as such. 

The reference definition for cloud computing comes from the National Institute of 
Standards and Technology (NIST): 

A model for enabling convenient, on-demand network access to a shared 
pool of configurable computing resources (e.g. networks, servers, storage, 
applications, and services) that can be rapidly provisioned and released with 
minimal management effort or service provider interaction. (Mell and 
Grance, 2011: 2) 

This model is therefore characterized by access to potentially unlimited material 
resources that require no prior investment by users, since these upstream investments 
are made by third parties, and this access is highly elastic to meet organizations' 
changing computing needs (Chen et al., 2010: 4). Cloud computing is billed by the 
minute or the hour based on use, on the same model as electricity, water or telephone 
service, which allows costs to be made variable (MEFI, 2011: 67). Furthermore, the 
responsibilities and pressures are left entirely up to the provider, and the user needs 
only have Internet access (Foresight Horizon Scanning Centre, 2010:144). 

Four cloud computing configurations are usually identified based on the exclusiveness of 
the access to material infrastructure: resources can be private, public, shared among a 
reduced group of organizations (community cloud), or hybrid, when companies use a 
mix of public and private solutions (Mell and Grance, 2011: 2; Fenn and LeHong, 2011; 
39). 

Development of the technology 

Various assessments of the size of the cloud computing market suggest double-digit 
growth in the coming years. Global revenues associated with cloud computing reached 
68.3 billion dollars in 2011 and should double to reach 148 billion in 2014 (Foresight 
Horizon Scanning Cet^re, 2010: 146). A few dominant actors in this sector, such as 
Amazon and Google, will have revenues of approximately one billion US dollars in 2012 
(Gens, 2011; 4), which will make them major suppliers of services to businesses. Cisco 
and IDC make a more optim^istic assessment that, in 2020, one third of computer data 
will be stored in or will transit through systems administered in the cloud, and that the 
explosion of this market could generate revenues in excess or one trillion dollars by 
2014 (Gantz and Reinsel, 2010; Nash, 2011). 



The public sector will also be affected by this trend, since the US government estimates 
that, by 2015, its annual budget expenditures associated with purchasing cloud 
computing services will reach 7 billion dollars (Kaufman, 2009: 62). The Ministers 
frangais de i'economie [French department of the economy], which assesses that 20%- 
25% of the computing market in 2020 will be in the cloud, believes that governments 
that want to remain competitive in this field will have to make investments as large as 
those made in traditional industries, such as the automotive industry, and plans to inject 
780 million euros into this technology in future investment (MEFI, 2011: 67). 

However, this market is not restricted to just companies or governments, since services 
available to the general public, such as DropBox, offer affordable (sometimes free) tools 
for sharing documents or simultaneously synchronizing data across several digital 
devices (Webbmedia Group, 2011: 14), and since Netflix could not market films using 
real-time video streaming without using the technical capabilities of cloud computing 
(Webb, 2011). 

Development drivers 

The first driver is technical. Cloud computing is meeting very strong demand from online 
social networking sites, which are using cloud computing to leverage their growth in the 
face of an explosion in the number of users (over one billion in Facebook's case). The 
proliferation of sites offering video and mobile content is also contributing to the 
growth of cloud computing, since it allows these sites to manage with agility the 
exponential increase in the volume of data that must be accessible everywhere and at 
all times. 

The second development driver is financial. The unparalleled flexibility of cloud 
computing promises reduced costs to companies that use it, through the savings 
realized from reduced operating and investment costs, thereby making cloud computing 
an attractive proposition, particularly in these turbulent financial times (IBM, 2011: 8). 

Implications for cyber security 

Cloud computing provides many advantages to companies, but the hoped-for 
commercial success has somewhat obscured the debate over issues of cyber security. 

In particular, the regulatory framework of data ownership must be clarified, since these 
data are hosted on the machines of suppliers, not on the machines and networks of 
their owners. The responsibilities of all parties in terms of privacy protection and 
compliance with regulatory obligations must be subject to close attention (Kaufman, 
2009: 62), in particular regarding trans-border transmission and storage of data, which 
cannot be used to escape the constraints of national regulatory systems (Office of the 
Privacy Commissioner of Canada, 2011; Helmbrecht et al., 2011: 8). Similarly, the 
possibility that dishonest service providers will steal confidential information from their 
clients in order to resell it to competitors cannot be ruled out (Chen et al., 2010). 

Cloud computing users will be confronted with a loss of control over the nature and 
effectiveness of security solutions deployed, in that these decisions will be made by 




service providers who do not all have the same protection abilities as market leaders 
such as Google or Amazon. It will be very difficult, or even impossible, for users to 
ensure that the security measures promised are implemented effectively (Cattedu and 
Hogben, 2009). Thus, it may be more difficult to ensure data confidentiality in this 
situation. 

This is especially true since the specific architecture of cloud computing creates 
increased vulnerability to malicious acts or internal failures of administrators or 
privileged users, who will concentrate in their hands unrivalled power over huge 
quantities of data. However, external users will have more difficulty evaluating the 
competency and reliability of these administrators (Rocha et al., 2011: 45), who can 
cause more severe damage because of the quantity of data for which they are 
responsible. 

Faced with natural or accidental criminal risks, cloud computing creates increased 
interdependency of victims hosted on a common platform. In fact, if a hacker infiltrates 
the systems of a company providing cloud computing services, potentially all of the 
organization's clients become exposed to this threat (Choo, 2010: 2; Cloud Security 
Alliance, 2010: 11), Additionally, if for any reason (natural disaster, hacking, technical 
failure, search or seizure, etc.) the service provider is obligated to interrupt server 
operation, unless it has redundancy infrastructure immediately available, its clients will 
lose access to their data until the situation is re-established, and will see their 
performance degraded or their survival threatened. 

Certain researchers also raise the spectre of the criminal use to which these capacities 
could be put by hackers and fraudsters to mobilize the considerable computing power 
of the cloud to carry out attacks and escape the surveillance of security agencies. 
According to Bloomberg, the Amazon cloud computing network (known as EC2 for 
Elastic Compute Cloud) was reportedly used by hackers in early 2011 to attack Sony's 
computers and steal the personal data of several tens of millions of Sony's clients 
(Alpeyev, Galante and Yasu, 2011). Also in early 2011, a German security researcher 
uncovered a program used to break the passwords of protected wireless networks using 
Amazon's EC2 service to test over 400,000 possibilities per second (Thomas, 2011). 
Producers and consumers of child pornography could use these capabilities to better 
protect their transactions (Biggs and Vidalis, 2009: 4; Choo, 2010: 4). 

In cases of legal litigation or criminal investigations, the use of cloud computing services 
introduces an additional degree of complexity to investigations, in particular concerning 
the preservation and analysis of evidence (Butler Curtis et al., 2010: 2). In fact, digital 
forensic investigations must operate within a rigorous procedural framework intended 
to allow the evidence gathered to be admissible before a court, and sometimes before a 
jury. The principles associated with the chain of custody, which must guarantee the 
provenance of the evidence, are for example almost impossible to comply with when 
dealing with cloud computing, where data are often stored beyond the reach of 
investigators. The metadata and information in computer logs are also very difficult to 
obtain from clouds, although they provide investigators with essential information on 
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suspects' activities (Reilly et al., 2010: 6). Law enforcement organizations will therefore 
need to develop protocols adapted to this new technological reality in collaboration 
with the private actors that provide these services 

The main suppliers are aware of the impact of security issues on the commercial viability 
of the services they offer, and they have come together under the Cloud Security 
Alliance^ to develop uniform security standards and norms for the whole industry. 
However, they are carrying out this process autonomously, without consulting the 
government authorities of the key countries concerned, which does not really promote 
the emergency of robust securities partnerships or networks. 


^ https://doudsecuritvalliance.org/ . 





Big data 

The term big data reflects the appearance in recent years of datasets containing gigantic 
volumes of unstructured or disparate information. The units of measurement used to 
describe these volumes of data are no longer the gigabyte or the terabyte, but the 
peta-, exa-, or even zettabyte (10^^ bytes). IDC estimates that in 2011, the worldwide 
quantity of information created and exchanged on digital media (the digital universe) 
was approximately 1.8 zettabytes, and that it would be multiplied by 20 by 2020 to 
reach 38 zettabytes (Gantz and Reinsel, 2011). 

Development of the technology 

For businesses, these massive, high-velocity data flows take the form of internal 
relational data arising from interactions with clients or suppliers over Web sites or 
through call centres, the results of surveys and demographic studies, geolocation data 
updated in real time, any information produced by digital equipment (see the section on 
the Internet of things), but also external content from social media sites. The volume 
and diversity of the data processed prevent traditional analysis techniques from being 
used, and specialized solutions must be used that are based on cutting-edge computer 
tools and statistics (such as Hadoop Map/Reduce programming, R language for 
statistical analyses and visualization), and carried out on infrastructure specially 
designed for such use (NoSQL databases, massively parallel processing, very-high-speed 
networks). These processes require analysts with cross-disciplinary skills in computing 
and statistics (Asthana, 2011). 

Rather than analyzing data selectively, big data techniques take an overall approach by 
processing simultaneously all of the data at an organization's disposal in near-real time 
(Fenn and LeHon, 2011; 6), in order to extract new knowledge. This hidden value stems 
from the identification of tiny details in an ocean of data (the proverbial needle in a 
haystack) that herald emerging trends or sources of untapped profits (Manyika et al., 
2011). The primary attraction of big data is to organize on an unparalleled scale 
information that was previously collected separately, such as disparate data on one 
individual, on networks of individuals, on communities, on collective behaviour or on 
natural phenomena (Boyd et Crawford, 2011). Gartner estimates that the companies 
that master this array of techniques will in 2015 reap profits 20% higher than those of 
their less well prepared competitors (Fenn and LeHon, 2011: 20). The most intensive 
users of these techniques currently include IBM, Facebook, Google, and Wal-Mart. 
Intelligence agencies, financial institutions, insurance companies, marketing firms and 
telecommunications operators are also at the forefront of this technological trend of 

"extreme" information management (Gruman, 2010; 12; Banerjee et al., 2011). 

/ / 

Development drivers 

The first development driver is social, since the volumes of data generated by new social 
practices will increase exponentially in coming years. Social media are in the process of 
becoming the dominant method of communication (having recently supplanted e-mail) 
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and a preferred tool for organizing and adding value to the personal memory of 
individuals. Social media under this situation generate immense quantities of data, 
whether personal or group messages, various status updates (location, emotions, 
marital status, occupations, hobbies, etc.) or photos shared with "friends." These 
mountains of data will have to be subjected to sophisticated analysis by the companies 
that put these platforms at users' disposal in order to create value for advertisers. 
However, the increasingly widespread practice of the quantified self, which advocates 
the systematic recording of personal data to improve physical or intellectual 
performance, also contributes to increasing the quantity of digital data that can be 
subjected to very large-scale analyses (Webbmedia Group, 2011). Finally, the global 
movement for open government data, which is seeing growing success in certain 
countries, with the United States, United Kingdom and to a lesser extent Canada at the 
forefront, will probably feed big data processing tools. For example, the US site data.gov 
gives Internet users access to over 390,000 freely useable data files, while Canadian site 
datadotgc.ca (maintained by citizens) offers a more modest 523 data files. 

In the business world, the past few months have witnessed the creation of data 
marketplaces that allow businesses to access the data of other public or private 
organizations to build the analytical power of their tools. Microsoft has just launched 
this type of initiative for its Azure^ platform and provides or rents access to 118 
databases containing several trillion entries. Increasingly high-performance visualization 
tools will also allow organizations to explore and explain the big data in their possession 
in a more intuitive manner, which will decompartmentalize the use of this type of 
analysis that had been reserved to a small group of experts and will speed up its 
adoption by organizations (Dumbill, 2011). Finally, the increasing interpenetration 
between the business and research worlds, in computing but also in the social sciences, 
will promote collaborations around the use of big data and lead to new innovations in 
this field (Boyd and Walker, 2011). 

At the technical level, the growth of the Internet of things, which we will analyze in the 
following section, will also contribute directly to the explosion in the quantity of data 
gathered by organizations and the resulting possibilities for innovative analyses. 

Implications for cyber security 

A growing number of businesses and organizations are seeing the commercial potential 
that reselling such quantities of data can generate, and they are trying to make it an 
additional revenue source. Large financial institutions therefore began to market the 
data associated with their clients' payment cards (stores frequented and products 
purchased) (Banerjee et al., 2011). In the Netherlands, a GPS localization solutions 
provider also sold the geocoded data of its users' movement to government agencies, 
including a police service, and those data were used to plan the optimal installation of 
automated speed radar traps (Lasar, 2011). This secondary market for big data 


^ https://datamarket.azure.com/ . 
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nevertheless exposes clients and users to undesirable invasions of privacy and raises 
significant ethical problems. For example, cross-referencing apparently insignificant 
fragments of information within big data sets can be used to reveal individuals' 
identities with a sufficiently high degree of confidence (Acquisti et al., 2011). This 
uninterrupted flood of data makes the traditional privacy control mechanisms that 
organizations, individuals and regulatory authorities currently have available particularly 
difficult to use. In fact, in such an environment, how can one be certain what types of 
data are collected and retained, with what degree of accuracy and reliability, or what 
data retention, exchange, marketing and destruction policies are implemented (Newton 
and Pfleeger, 2006:180)? 

In such a context, automated privacy protection (privacy by design) and access 
management mechanisms must be designed to allow users and companies to regain 
control and manage responsibly the massive quantities of data they generate 
(sometimes without knowing it) that then become exploitable (Hourcade et 
al., 2009; 31; Jonas, 2011). Certain initiatives intended for individuals, such as 
MyPermissions,^ ThinkUp,® or the Locker Project,^ and the Accumulo applications, 
developed as open source projects by the National Security Agency (Jackson, 2011), and 
Infosphere Sensemaking, developed by IBM (Jonas, 2011: 15), illustrate the form these 
tools could take. 

While analyzing big data raises some technical problems, keeping it secure also presents 
many challenges. At such a scale, encrypting all data is not a viable solution because of 
technical constraints, and only the most sensitive information can be encrypted. 
However, this data must be decrypted during each analysis to allow for cross- 
referencing, which exposes this information more frequently and more massively to 
criminal threats. Therefore, development should be accelerated on encryption 
techniques that allow data to be manipulated and analyzed without having to decrypt it. 
These innovating cryptography techniques protect data integrity while preserving the 
data's initial format (format-preserving encryption) (Spies, 2008). 

The technical platforms used to analyze big data are still relatively immature and were 
not originally designed to provide high levels of security, since they were initially 
designed to study open data. Organizations that decide to exploit this technology will 
therefore have to procure and develop additional security solutions that will 
nevertheless remain less robust than a more integrated approach (security by design) 
(Lane, 2011). 

The process of amalgamating and reusing data for repeated analyses also leads to a 
proliferation phenomenon where the traceability of data, particularly those described as 
sensitive, becomes increasingly difficult to establish. This situation therefore increases 


^ http://mvpermissions.org/ . 

^ http://thinkupapp.com/ . 

^ http://lockerproiect.org/ . 
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vulnerabilities and opportunities for offenders to gain access to large amounts of 
potentially very profitable personal data. 
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The Internet of things 

The Internet of things (or loT) refers to the growing interaction between the physical 
and digital worlds through sensors and data capture devices integrated into the objects 
around us (from cars to pacemakers to refrigerators to smart meters). These objects 
gain the ability to communicate wirelessly with computer networks through the 
Internet. The massive flow of data produced by these objects allows for their operations 
and the environments in which they operate to be monitored (Chui et al., 2010). This 
way, the things can tell their owner or the company using them their general operating 
status, potential maintenance needs, productivity, estimated time of arrival at a 
predetermined location, but also the heart rate or blood-glucose level of the person 
equipped with such a device, etc. (Gens, 2011:18). The Internet will therefore expand to 
encompass not only traditional digital networks, but also local networks of objects able 
to communicate with each other and their controllers. (Hourcade et al., 2009: 2). 

Development of the technology 

Gartner estimates that this trend will peak within a decade, though there are already 
more objects than just computers connected to the Internet (Fenn and LeHong, 2011: 
23). Cisco predicts that over 50 billion objects will be connected to the Internet in 2020 
(Evans, 2011: 3), while the international telecommunications operators association is 
more circumspect, with an estimate of 24 billion, which is explained by a more 
restrictive definition of what constitutes a connected object (GSMA, 2011: 3). 

Development drivers 

The first development driver is technical. Although the concept of the loT is not new in 
and of itself, the miniaturization of electronic components, their low prices and the 
increase in calculation power and bandwidth of computer networks have led to a 
diversification and acceleration in the number of objects that can be connected to the 
Internet (Fenn and LeHong, 2011: 6). The adoption of Internet Protocol version 6 (IPv6), 
which increases the number of available addresses from 4.2 billion to 340 sextillion 
(10^®), will also facilitate the expansion of the Internet of things and open the door to 
countless new possibilities, provided they add value to existing services. 

From a functional perspective, the loT should allow businesses and public institutions to 
provide services that were previously unavailable and that will increase the quality of 
life of users, such as locating parking spaces in a neighbourhood in real time, or 
improving the quality of care by bringing patients in distress together more quickly with 
the closest medical expertise (Fenn and LeHong, 2011: 23). The many practical 
applications of the loT that will allow individuals and organizations to optimize their use 
of space and time should feed the rapid growth of this trend over the next few years. 

Finally, from an economic perspective, the Global System for Mobile Communications 
Association (GSMA) assesses that opportunities for profits associated with the loT will 
be 445 billion dollars for the consumer electronics industry, 202 billion for the 




automotive industry, 69 billion for the health sector and 36 billion for utilities 
{electricity, water and gas) distributors (GSMA, 2011). 

Implications for cyber security 

The ioT will open up new possibilities in surveillance, which risk raising many ethical and 
privacy issues. Unlike video surveillance systems that are limited in the type of data they 
can gather and process, the loT will be able to provide security services access to very 
rich data; not only photos taken by smartphones, but also sounds, smells, chemical 
compositions, biometric information, etc. (Silberglitt et al., 2006: 28). A few Canadian 
police services have already used the recording capabilities of electronic devices used by 
normal citizens to identify the perpetrators of vandalism during urban riots in Montreal, 
Toronto and Vancouver. Other North American cities such as Washington, Los Angeles 
and Boston installed in their most violent neighbourhoods clusters of acoustic sensors 
that can pinpoint the origin of gunshots or cries of distress (Klein, 2006; Ntalampiras et 
al., 2009). The loT will speed up this trend of using sensors for security functions. 
However, the use to which these capacities will be put will certainly raise many 
objections from privacy-protection organizations. 

The increased number of entities connected to the Internet will mathematically increase 
the number of targets available to hackers, whether those targets are cars, medical 
instruments or home appliances (home automation). Already in 2010, a disgruntled 
employee of an auto dealership in Texas succeeded in hacking about 100 vehicles by 
remotely accessing the vehicle immobilization system intended to be used in the event 
owners fail to make monthly payments (Poulsen, 2010). Researchers also showed how 
insulin pumps, pacemakers and cardiac defibrillators implanted in the bodies of patients 
could be hacked and reprogrammed remotely by exploiting the poor security features of 
these products (The Future Laboratory, 2011:11). 

Because of the numbers of these products and the requirement to maintain the lowest 
possible production and operating costs, the designers and manufacturers of these 
connected devices will probably be unwilling (or unable) to equip them with very 
restrictive security devices, except for those devices integrated into costly consumer 
goods (such as luxury vehicles) or essential services associated with human health or 
essential infrastructure (smart meters). This reluctance risks creating new vulnerabilities 
for the Internet as a whole, since these objects could be used by hackers as access 
points from which to attack more attractive systems (Roman et al., 2011). 

The implications are not just digital in nature, since the proliferation of Internet- 
connected objects in public spaces (traffic lights, video surveillance cameras, vehicles, 
various meters, etc.) will also pose the problem of the physical security of those objects. 
Unless protection and hardening mechanisms are developed, these objects will be 
beyond the vigilance of capable guardians, in which case they will make attractive 
targets for motivated offenders (Cohen and Felson, 1979) who will use them to obtain 
physical access to sensitive computer networks. 
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Mobile Internet 


The concept of mobile Internet or mobile computing designates all technologies that 
provide full or partial access to the Internet using mobile devices such as smartphones 
or tablet computers (such as an iPad). The mobile Internet is made up of three 
components: 1) the mobile devices that make it possible; 2) the applications that allow 
these devices to connect to computer networks (such as Apple's iOS, Google's Android, 
Microsoft's Windows 8 or Blackberry's OS operating systems), as well as the many 
applications available for each of them; and 3) the technologies that allow Internet sites 
to recognize which users are connected via mobile technologies and therefore provide 
them with content adapted to their geographical position or personal interests. 

Development of the technology 

The mobile Internet was born around the late 1990s (Kaikonnen, 2009), but it remained 
a relatively marginal phenomenon until recently. The current growth in the market for 
smartphones, which integrate telephony, data management, photography, video, music 
and geolocation, feeds this trend and allows users to be connected to the Internet 
anywhere and at any time. 

In 2012, IDC forecasts that sales of mobile devices (895 million units) will be double the 
sales of classic computers (400 million units) (Gens, 2011: 7), and that spending 
associated with data consumption via mobile networks will for the first time surpass the 
spending associated with data consumption via fixed networks (ADSL or fibre optic 
connections, for example). The anticipated downloading of 85 billion mobile apps 
should allow the mobile Internet to sustain very dynamic growth for another few years 
(Gens, 2011). 

By 2015, one quarter of the active SIM cards® in the world will be associated with 
smartphones or mobile modems (identical to 3G keys), which will represent a market of 
1.5 billion consumers (GSMA, 2011: 2). 

Development drivers 

The first development driver is economic. Mobile telecommunication companies are 
investing massively in deploying latest-generation technologies (3G, LTE) that will 
provide mobile Internet access that is as fast as residential high-speed access. Over the 
next five years, global investments in this field are expected to reach over 100 billion 
dollars, and 300 million users are expected to be connected to latest-generation LTE 
networks in 2015 (GSMA, 2011: 2). The profits that these companies hope to make from 
the sale of data services are directly proportional to the investments agreed to and 
therefore explain this investment craze. 


® SIM cards are chips that identify a user on a mobile network. 





The technical implications of these financial investments will be felt very quickly, 
inasmuch as the GSMA (2011; 4) expects that this technical infrastructure will multiply 
by 10 the volume of digital data that will transit over mobile networks between now and 
2020, reaching 42 exabytes. This growth in data exchanged will benefit especially 
developing countries, where mobile Internet will be a way to directly access high-speed 
connections, in the absence of land-based infrastructure (ITU, 2010: 2). 

The economic and technical drivers will also lead to a third driver at the commercial 
level. Service businesses see opportunities to exploit in the mobile Internet, given that 
the applications will allow them to improve the profitability of their business models 
and interact in a much more personalized way with their clients, taking advantage 
especially of the geolocation abilities of the mobile Internet (Yuan and Barker, 2011: 6; 
Webbmedia, 2011: 12). In response to this commercial driver, it is estimated that by 
2013, almost 80% of businesses will equip a portion of their employees with tablet 
computers (Yuan and Barker, 2011: 6). A potential barrier to this driver toward better 
productivity is the multiple competing platforms (Android, iOS, Windows 8, Blackberry 
OS, webOS, etc.). This competition may lead to higher development costs for new 
applications, especially if they must be available across all existing platforms (IBM, 
2011:7). 

ImplicatioiLS for cyber security 

Consumers will use the technical capabilities of smartphones and mobile devices, 
combined with the services offered by businesses, to make financial and banking 
transactions online anywhere and at any time. Furthermore, mobile wallets, intended to 
replace cash payments, are being developed. Fraudsters will therefore find a new source 
of revenue, and malware infections of phones should rise sharply reflecting the high 
rate of adoption of the mobile Internet. Norton, the Internet security company, found in 
a survey that 10% of the adult population has reportedly already been the victim of 
crimes associated with the use of smartphones, and Symantec assessed in 2010 that the 
threats specific to the mobile Internet had increased by 42% compared with the 
previous year (Albanesius, 2011). 

As in any period when new risks are emerging, offenders will benefit from a window of 
opportunity when the public remains poorly informed of the vulnerabilities to which 
they are exposed, and what protective measures they should implement. Thus, a recent 
survey conducted in France showed that only 4% of smartphone users were concerned 
by the risks associated with computer viruses, while this figure was 22% for Internet 
users (The Future Laboratory, 2011: 14). Similarly, almost one third of respondents in a 
survey carried out by Damballa in 2011 were concerned by cyber crime associated with 
the use of personal computers, while the number was only 13% for cyber crime 
associated with smartphones (Damballa, 2011). These results mean lower adoption 
rates for security solutions among users of the mobile Internet, since only 16% had 
installed the most recent security applications, and 13% of people questioned had 
installed software capable of erasing personal data in the event of a loss or threat 
(Damballa, 2011). In this context, the security of applications downloaded by users and 
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the oversight policies (forward- and backward-looking) implemented by the large 
platforms such as Android Market or iTunes App Store will prove decisive (Giles, 2010). 

Security problems associated with the mobile Internet are not restricted to software. 
The equipment on the market and the component supply and distribution chain will also 
have to be subject to particular vigilance. Thus, in 2010, the Spanish subsidiary of the 
English telecommunications giant Vodafone was faced with an incident in which 3,000 
smartphones infected with the malware Mariposa were sold by its own accredited 
resellers (Leyden, 2010). 

Obviously, the mobile Internet will not just be an additional source of risks, and many 
financial institutions have already integrated into their anti-fraud programs e-mail and 
SMS alerts that will facilitate the early identification of suspicious transactions 
(deVilliers, 2010). The mobile Internet therefore has an attractive potential to 
contribute to the security of the digital ecosystem. 
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Brain-computer interfaces 

Brain-computer interfaces are technologies used to directly connect external computer 
devices to the human brain or nervous system. These devices allow individuals to 
interact with computers by thought. These technologies are currently used in medicine 
to compensate, assist or augment the cognitive and motor functions of individuals with 
physical disabilities (paralysis, locked-in syndrome) or psychological disabilities (stress, 
attention deficit) (Foresight Horizon Scanning Centre, 2010). These technologies 
generally involve the use of more or less invasive electrodes that work by simple contact 
with the scalp or by being surgically implanted directly into the brain to capture the 
waves emitted by the brain (Demetriades et al., 2010: 267). 

Development of the technology 

This technology has been in development since the early 1970s, but few advances were 
initially made because of the technical limits of electro-encephalography (EEG), the 
method by which electrical activity in the brain is measured. The high error rate 
between the signals emitted and signals interpreted long remained too high to consider 
applications outside the research laboratory (Wang and Jung, 2011: 2). 

These interfaces fall into the continuum of the extension of intuitive interfaces using 
digital technologies, such as voice-recognition systems, touch screens or motion- 
detection systems such as those found in the Nintendo Wii, Microsoft Kinect or Apple 
SIRI. These previously costly technologies that were restricted to the world of research 
or business are appearing in consumer electronics and will gradually replace the 
keyboard and mouse as humans' preferred ways to interact with machines (Yuan and 
Barker, 2011). 

Development drivers 

At the technical level, the development of non-Invasive methods of measuring brain 
activity and lighter and lighter equipment should accelerate the development and 
adoption of this technology. In fact, until recently, it was believed that brain-computer 
interfaces would require electronic implants in the human brain to function effectively, 
which constituted a major technical barrier to the development of this technology for 
commercial applications (Silberglitt et al., 2006: xix). Significant advances have been 
made in this field, and for the past few months Emotiv® has been marketing a $300 
wireless neuro-headset to capture and process brain signals. Research is also under way 
to measure brain signals without physical contact, by combining several different types 
of sensors (Fenn and LeHong, 2011). The miniaturization and drop in cost of this 
technology, as well as the development of consumer applications and the refinement of 
techniques to interpret the signals emitted by the brain should promote the adoption of 
this technology within the next five years, according to IBM Research (Brown, 2011). 


^ http://www.emotiv.com/index.php . 
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Implications for cyber security 

This technology demonstrates strong potential for lie detection and directly reading 
memories, which does not concern cyber security as such but illustrates the 
convergence between advances in digital technologies and their applications to more 
traditional security problems. However, such uses will raise unparalleled problems in 
terms of privacy protection if it becomes possible to read thoughts or measure emotions 
of individuals against their will on a routine basis and with a satisfactory reliability rate. 

Brain-computer interfaces also open the door to new risks of brain hacking, especially 
since the long-term effects of these interfaces on human subjects and the personality 
changes they cause remain very poorly understood (Clausen, 2009). Pursuing this line of 
thought, one could imagine attacks launched from the digital ecosystem, from 
computers, at human targets, which could have the direct consequences of lasting 
psychological or physical harm. This possibility would be an additional and novel 
convergence between digital and physical risks. Similarly, these technologies might also 
be used as substitutes for currently available narcotics, and new criminal markets similar 
to the drug markets could offer novel addiction experiences though these interactive 
networked technologies (Cave et al., 2009:15). 

The spread of this technology will also require us to reconsider the current rules used to 
establish individuals' criminal responsibility. If a criminal act results from an erroneous 
interpretation that a brain-computer interface might make of a user's thoughts, how 
can responsibility be apportioned with certainty to the various components of this 
hybrid system (Nishida and Nishida, 2007)? It can therefore be imagined that the 
regulation of this technology will need to combine legal, technical and medical 
approaches, which risks posing a significant problem for regulatory authorities, who 
have little experience operating at the intersection of several fields of activity (Cave et 
al., 2009; Demetriades et al., 2010). 
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Near field communication (NFC) payment 

Near field communication (NFC) payment uses various wireless communication 
technologies related to RFID chips to facilitate financial transactions at points of sale. 
This technology is primarily installed on payment cards and on mobile phones, which 
can carry out a transaction if placed a few centimetres from a properly-equipped 
receiver, which accelerates considerably the point-of-sale process (Tata, 2011: 9). This 
technology is intended to facilitate near field interactions between various devices, and 
competes directly with traditional payment methods such as cash, or credit or debit 
cards (Ondrus and Pigneur, 2009). 

Development of the technology 

Starting in 2003, US company Applied Digital Solution (ADS) created the VeriPay system, 
a sub-cutaneous RFID chip used to pay for purchases without taking out one's wallet. 
However, this system never succeeded as the company hoped, and production stopped 
in 2010. 

Major industry players, such as Google (Google Wallet), Apple, Nokia (Obopay system), 
AT&T, T-Mobile and Verizon (Isis consortium), or BMW (Connected Drive key 
technology) have in recent months made large investments in this technology and are 
expected to market it to consumers. Silicon Valley companies such as Naratte (Zoosh 
system) are also developing technological alternatives that will nevertheless accomplish 
the same functions as the NFC payment systems described above (Webbmedia Group, 
2011 : 12 ). 

Development drivers 

Currently, this technology has had very different adoption rates at the international 
scale. While it is popular in Asia (particularly in Japan), it is still having trouble breaking 
into European and North American markets. Commercial and economic drivers must 
therefore be examined to find the reasons for these different rates of development. 

From a commercial standpoint, the spread of this technology will be determined 
primarily by its adoption in areas of quick service and in economic sectors where 
transactions are very frequent, such as in public transit (Ondrus and Pigneur, 2009). In 
the United States, Starbucks coffee shops were among the first businesses to invest in 
this technology (Kunur, 2011), and in Canada, many public transit organizations sell their 
monthly passes on near-field payment cards (Opus card in the Montreal area). The 
arrival of Google and Apple in this market should also accelerate the rate of adoption. 

However, the commercial efforts will not be the only determining factors in the 
development of this technology, which operates based on a particular economic 
structure. NFC payment is what economists call a two-sided market, in which users and 
businesses must adopt the technology simultaneously for it to spread (Rochet and 
Tirole, 2003). Companies in the financial sector, which learned to master this type of 
market through payment cards, will play an important role. Their ability to reach 




strategic agreements with the telecommunications companies will be a determining 
factor. In terms of further considerations regarding disruptive technologies, companies 
outside the banking sector (for example Internet and telecommunications) may choose 
to compete head-on with the financial sector companies by not associating with them in 
the deployment of this technology. For example, in March 2010, China Mobile, which as 
its name indicates specializes in cellular telephony, invested almost six billion dollars in 
the Shangai PuDong Development Bank to speed up the commercialization of its online 
payment services (Bloomberg, 2010). 

From a technical standpoint, interoperability between the various systems under 
development remains an unresolved issue, and until international standards have been 
accepted by all actors in this emerging market or a consortium of dominant actors has 
asserted its supremacy, this technology will have difficulty developing on a global scale. 

Implications for cyber security 

The implications for cyber security are similar to those raised for the mobile Internet, 
but an additional problem arises from the unsecured transmission of bank data that 
leads to a risk of the data being intercepted and manipulated by malicious third parties 
(Balaba, 2009). In fact, the technology is not designed for applications associated with 
the transmission of sensitive data, and telecommunications operators, makers of 
telephones and payment terminals, as well as application designers, will have to 
superimpose their own security solutions onto the existing technological infrastructure. 



Mobile robots 


The term mobile robots refers to multi-jointed mechanical systems able to travel 
autonomously or semi-autonomously that have the ability to influence their immediate 
environment (Fenn and LeHong, 2011). These machines perform three main tasks: 
perception, reasoning and action. Some of these robots also have wireless 
communication functions that allow us to consider the concept of collaborative robots 
{MEFI, 2011:74). 

Development of the technology 

Mobile robots can be found in a growing number of sectors, such as manufacturing, but 
also service businesses, the health sector and replacing humans to accomplish 
dangerous tasks. 

Japan and Germany are the most advanced countries in the development of civilian 
mobile robotics, while the United States and Israel dominate the military robotics 
market. France's department of the economy estimates that the robot market could 
represent 30 billion dollars by 2015 (MEFI, 2011). 

Development drivers 

From a scientific standpoint, recent progress in biomedical engineering has made 
possible the design of robots whose mobility now approaches that of living beings 
(Newton and Pfleeger, 2006: 187), as proven by the models developed by Sony and 
Honda (see below), but also by Boston Dynamics for the BigDog robot intended to 
transport American troops' gear over rough terrain (Raibert et al., 2008). Nevertheless, 
significant advances remain to be made in terms of "natural" communication between 
machines and humans so that they can share space and cooperate harmoniously (Luo 
and Perng, 2011). Artificial intelligence and vision, which determine robots' 
understanding of the 3D world that surrounds them, also requires additional research 
(Costa et al., 2011). Finally, information processing, such as the ability to forget in order 
to purge useless information to avoid overloading sensors, must be improved to make 
these machines' performance consistent with their mission to operate in complex 
environments (Freedman and Adams, 2011). 

Regarding the industry drivers, Sony and Honda have revealed that they have created 
companion robots with a human or animal appearance, which suggests that this market 
should grow in the coming years so that it is no longer concerned exclusively with 
professional applications. The algorithms and software applications are also the subject 
of industrial initiatives promoting the development of new products: Microsoft and 
iRobot have now given robotics engineers access to the source codes for their products 
(Kinect and Roomba), so that the engineers can freely integrate them into their projects. 

Social drivers will also play an important role in the development of mobile robots. The 
aging population in Western countries and limited room in budgets for the costs of 
institutionalizing people with reduced mobility will lead to the development of 
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technologies to help seniors stay in their homes. Mobile robots could therefore be an 
attractive alternative combining the functions of helping with household tasks and 
monitoring the vital signs of their owners and alerting the appropriate resources in the 
event of health problems. Robots could also be used in the workplaces of employees 
with extremely rare skills (in particular surgeons), to allow these employees to "project" 
to several locations simultaneously. These robots would embody existing individuals in 
locations they cannot reach but where their expertise is required (Newton and Pfleeger, 
2006: 187). However, social acceptability will be one barrier to overcome. The fear of 
interacting with machines that are too anthropomorphic (or not anthropomorphic 
enough), or the fear of having these machines displace the jobs of humans could slow 
the development of this technology (Salvini et al., 2010a). 

Implications for cyber security 

The proliferation of autonomous robots in the public space will raise new risks for the 
safety of individuals, in particular if the robots behave undesirably or commit errors that 
cause accidents. Rules and standards for behaviour that respects the physical integrity 
of humans must therefore be developed and inserted into the control applications of 
these robots to reduce the threats (Bicchi et al., 2010) and assign responsibility in the 
event of an accident. 

Given that communications with mobile robots will be based on wireless technologies 
(see the Internet of things and mobile Internet sections), the spread of these machines 
in the public space will generate opportunities for malicious hackers to take control of 
them. The communication protocols that will be used and the authentication 
mechanisms used to send instructions to mobile robots must be subject to careful 
precautions, even if this would increase the operating costs. For example, American 
military drones used in Iraq have already been hacked by insurgents who were able to 
intercept the signals emitted and determine the persons or locations targeted by the 
drone operators. Interceptions of this type of signal risk growing with the increasing use 
of robots for surveillance, whether in the air, on water or on land (inside and outside) 
(Raty, 2010). Hackers could use this surveillance data to plan physical attacks (such as 
burglaries) or to access personal information likely to help them in their digital attacks 
(such as gathering identifiers and passwords). 

The legal status of robots that will soon be autonomous and may have something similar 
to intentions will also need to be the subject of extensive reflection (Salvini et al., 
2010b). Since 2003, Japan has had geographical areas in which robots can operate in the 
public space without a special permit (called Tokku or deregulated zones), but this 
particular legal status is limited to prototype experiments and tests. 
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Quantum computing 

Quantum computing is a branch of computer science that is still at a very embryonic 
stage of development that nevertheless suggests revolutionary applications in terms of 
calculating po\wer and therefore security. Quantum computing uses the laws of 
quantum mechanics to process large volumes of information much more efficiently than 
traditional computing. Traditional computing uses the unit of measurement of bits, 
which are used to code information in a binary format of ones and zeros. By contrast, 
quantum computing is based on qubits (abbreviation of quantum bits), which have two 
characteristics unique to quantum mechanics, which are superposition and 
entanglement. Superposition is a phenomenon by which the same system can be in 
different states simultaneously, which increases considerably the complexity of 
operations that can be performed. Entanglement describes a very strong correlation 
between quantum particles that behave identically, even if they are separated by large 
distances. This second property is particularly useful in a security context, because any 
attempt to intercept an encrypted message exchanged between two parties will change 
the state of the particles received and will indisputably reveal the attempt at 
compromising the message. 

Development of the technology 

For the moment, quantum computing remains essentially in the theoretical stage, 
although very specialized quantum cryptography solutions are already on the market. 
The rare computers that have been built remain confined to the laboratories of large 
universities and companies carrying out research in this field. The University of 
Waterloo, in collaboration with the Massachusetts Institute of Technology, developed 
the most powerful quantum computer to date, which can process 12 qubits.However, 
this machine remains insufficient to equal the performance of traditional computers, as 
admitted by its own designers. Because of the instability of quantum systems and the 
many technical obstacles to be overcome, many years will be required for quantum 
computing to fulfil its promises (QISTEP, 2004). A few years after that opinion, the Rand 
Corporation described its technical feasibility as highly unlikely (Silberglitt et al., 2006: 
xix). 

Development drivers 

Among the industry drivers, it should be stated that large corporations such as IBM, HP, 
Microsoft and Google, as well as start-ups such as D-Wave Systems in British Columbia, 
or MagiQ Technologies in the United States, are investing large sums in quantum 
computing to accelerate the development of machines and practical applications. 

These industry efforts are being pursued jointly with the research world, which is 
benefiting from significant financial support. In Canada, for example, Mike Lazaridis, the 


http://iqc.uwaterloo.ca/welcome/quantum-computing-101 . 





co-founder of Research in Motion (RIM), donated 100 million dollars to the University of 
Waterloo in 2002 to fund the creation of the Institute for Quantum Computing (Gillmor, 
2012), to which the Government of Canada awarded an additional grant of 50 million in 
2009/^ Other countries, such as the United States, China and the European Union, are 
investing significant resources in basic and applied research on this technology (Palmer, 
2009; Weinberger, 2009; Shay, 2010). 

tniplicatioiis for cyber security 

Quantum computing is particularly suited to several categories of problems that are 
central to cyber security, such as cryptography and cryptanalysis. 

In cryptography, quantum computing would be able to produce and send unbreakable 
encryption keys, since any interception would be detected instantaneously. This 
property would make it an indispensable tool for intelligence agencies, other 
government services requiring high levels of confidentiality, and financial institutions 
(Silberglitt et al., 2006: 31). 

In the field of cryptanalysis (deciphering encrypted messages without a key), the 
calculation power provided by quantum computing would in principle allow the most 
powerful encryption keys to be broken with no great difficulty and would render all 
communication fundamentally vulnerable (Sanders, 2012). 

Therefore, a decisive breakthrough in the implementation of the theories of quantum 
computing would have the potential to threaten the cyber security, and more broadly 
national security, of the adversaries (or even allies) of the state that first made this 
discovery. 


http://www.ic.EC.ca/eic/site/icl.n5f/eng/04558.html . 
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Militarization of the Internet 


The militarization of the Internet (or Internet weaponization) does not stem from any 
particular technological innovation, but rather from the development of strategic and 
tactical doctrines. Although the history of the Internet is intimately tied to military 
investments made by various research agencies of the US Department of Defence since 
the early 1960s, until now, the digital environment had not been considered a full- 
fledged battlefield in the same way as the land, sea, air or even space environments 
were. Of course, electromagnetic signals have been the subject of military applications 
since the Second World War, but always for instrumental purposes, to guarantee 
operational superiority in classical armed conflicts involving the mastery of the four 
previously-mentioned battle spaces. 

Development of the trend 

In the past few years, military doctrine has changed to make control of the Internet not 
only an internal security issue but also a national security issue, with a sharp increase in 
the resources devoted to the development of offensive and defensive capabilities 
(Deibert, 2010). 

In 2011, the Pentagon developed a strategy to treat digital environments (or cyber 
space) as a separate operational domain, officially putting emphasis on the protection of 
critical infrastructure and networks (DoD, 2011). However, a less-publicized offensive 
aspect of this strategy also seems to have gained operational power. The computer virus 
Stuxnet, primarily directed against Iran's military uranium enrichment program, was 
attributed by many experts to a covert initiative of the US government aimed at 
developing a cyber arsenal. This conclusion was reached primarily because of Stuxnet's 
degree of sophistication and the resources required to create such a virus. 

However, the United States is not the only country to develop military capabilities in this 
field. At least 32 other states (including Canada) have explicitly acknowledged 
developing offensive and defensive operational capabilities in cyberspace (Lewis and 
Timlin, 2011). Some countries devote very large budgets to it, such as the United 
Kingdom, which in 2010 made public plans to spend one billion Canadian dollars over 
four years in the context of its military cyber security policy, while the Pentagon spent 
Just over 3.2 billion US dollars in 2012 on its defensive and offensive efforts in the cyber 
domain (Sternstein, 2011). 

Development drivers 

Among the legal drivers are the law of war and international conventions, as well as 
national legislative provisions. These various legal frameworks will determine (at least 
for liberal democracies) how and whether offensive and defensive tools will be able to 
be officially integrated into the military arsenal, or whether on the contrary they will be 
restricted to covert use. Thus, on December 12, 2011, the US Congress authorized the 
Pentagon to undertake offensive actions in cyberspace within the existing legal 



framework on committing US troops to armed conflicts/^ However, the classic legal 
instruments should probably be amended to take into account the technical specificities 
of these new offensive capabilities, such as the difficulty of tracing the perpetrators of 
attacks, for example. This reform of the law of war does not yet seem to have started. 

The technical and economic drivers are based essentially on the costs to research and 
develop offensive digital weapons, which are proving much more affordable than 
conventional weapons. This characteristic therefore makes them available to 
intermediate military powers, and even powers marginalized on the international scene, 
such as North Korea or Iran. These weapons will appear even more attractive because 
the growing dependence of critical infrastructure on digital networks will give the 
weapons an undeniable power for harm and destruction. However, the predictions that 
liken this type of attack to a digital "Pearl Harbor" seem excessive and underestimate or 
pretend to ignore the resilience of the digital ecosystem. 

Strategic drivers also explain the attraction Internet militarization represents for some 
states. The architecture of digital infrastructure means that the use of offensive digital 
weapons can always have plausible deniability, and assigning responsibility for such an 
attack remains impossible to establish with absolute certainty (NCIX, 2011). Therefore, 
this type of weapon is very advantageous operationally, because it significantly reduces 
the risks of retaliation. 

Implications for cyber security 

First, the militarization of the Internet, if it is not subject to an international framework 
by major treaties modelled after those used during the Cold War to limit the production 
of nuclear weapons (SALT, START and ABM), risks resulting in an arms race-type 
situation. The primary difference would be that, instead of the previous bilateral 
confrontation (USA-USSR), a much more open and unstable multilateral configuration 
would be at play, grouped around three dominant actors in this field: the US, Russia and 
China (Yannakogeorgos, 2009). Such an arms race would threaten the digital ecosystem 
with uncertainty and destruction the scale and consequences of which are difficult to 
foresee. 

The increasing offensive capabilities described earlier will also contribute to increasing 
insecurity on the Internet by promoting the uncontrollable proliferation of ever more 
sophisticated digital weapons. Aside from the uncertainty and the new threats this 
militarization will bring to civil and commercial operators, the open and distributed 
architecture of the Internet means that, once used, these digital weapons can be 
analyzed and recycled by anyone with sufficient reverse-engineering technical 
capabilities. In the particular ecosystem of the Internet, malware developed for national 
security purposes could thus quickly be found in the hands of criminal interests, which 
has already been observed in the case of the Stuxnet virus. In December 2010, 


National Defense Authorization Act for Fiscal Year 2012 (HR 1540), section 954. 
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weaknesses not yet known (zero day exploits) used by this virus appeared in the 
malware TDL-4, one of the largest botnets currently in operation (Golovanov, 2010); 

More generally, the militarization of the Internet introduces a dangerous confusion 
between the areas of internal security and national security, considering that the 
primary threats to the digital ecosystem are basically the responsibility of the armed 
forces, and that they must therefore deploy considerable resources and mobilize private 
actors in partnerships characterized by the secrecy needed to deal with the situation. 
While this approach will please defence contractors, who see in it a very lucrative source 
of revenue for coming years, its main fault is in bringing a single and disproportionate 
response to risks as diverse as criminal risks (cyber fraud, online harassment, production 
and consumption of child pornography), economic risks (illegal downloading of content 
protected by various intellectual property regimes), risks associated with cyber 
espionage (acquisition by government or private entities of secrets held by adversaries 
or competitors) or military risks, which imply the destruction of physical or computer 
assets. Without denying the need for armed forces to adapt their attack and retaliation 
capabilities to the new realities of current and future digital ecosystems, debate should 
be initiated as soon as possible to define the role that armed forces will need to play in 
the cyber security ecosystem, working beside other actors that are just as important, 
such as police agencies, private security, high-tech companies, NGOs, regulatory and 
legal authorities, and of course users. If this debate does not take place, this 
militarization risks making the digital ecosystem more fragile and destabilizing it rather 
than making it more resilient to the various threats listed previously. 
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Conclusion and recommendations 


This last section will deal with several themes that intersect the nine trends identified in 
the report and their implications for cyber security, and it will also formulate a few 
general recommendations that must nevertheless be considered carefully, given the 
forward-looking nature of the problems discussed. 

It must first be pointed out that these trends cannot be considered separately from 
each other, even though we used the tactic of studying them this way to facilitate 
describing and analyzing them in terms of development drivers and impacts on the 
security of the digital ecosystem. These nine trends are technically and socially 
interdependent, and some even have symbiotic relationships with each other (such as 
the mobile Internet and NFC payments). Other trends will converge to provide new 
services to individuals and businesses, such as the Internet of things, which will benefit 
from scientific advances in big data to improve business productivity. This convergence 
is already under way, because according to IDC, two thirds of the mobile Internet 
applications developed in 2012 will integrate the analytical capabilities offered by the 
companies at the forefront of big data, and half the applications will be connected to or 
integrated in cloud computing platforms (Gens, 2011: 9). 



The preceding diagram maps some of the interdependencies identified in the literature 
consulted, and makes no claims to be exhaustive, in that new links will certainly appear 
as hard-to-predict disruptive innovations occur. The primary consequence of this 
interdependence, aside from shedding light on the structural complexity inherent in the 
digital ecosystem, is to make us aware that any cyber security policy or strategy cannot 
be really effective unless it adopts an overall view of the various trends and continually 
monitors the development of their reciprocal interactions, since their respective 
maturation processes will vary greatly. 
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Recommendation no. 1: Design and deploy procedures and tools for ongoing 
monitoring, the objective of which will be to monitor the development of the digital 
ecosystem and survey the various actors and interactions, and assess the effects of 
these transformations on cyber security. 

The regulatory risk to avoid in this type of configuration is having a separate process for 
each of the trends identified, which leads to a fragmentation of the regulatory regimes 
and of the risk management strategies, and harms cyber security, where integration is 
indispensible, as highlighted previously. 

I Recommendation no. 2: Align the regulatory regimes applicable to the various 
I infrastructures, applications and content with the resources and strategies implemented 
I by a growing number of government actors, as well as their private partners, in order to 
I quickly detect emerging digital risks and limit their impact on a constantly evolving 
I ecosystem. 

Three characteristics seem to be shared among the various trends analyzed in the 
previous pages; namely, the exponential increase in the number of entities connected, 
the quantity of data processed by these entities in the digital ecosystem, and the 
increased circulation of this data. These three properties will therefore increase the 
number of points and opportunities for compromising systems, making it possible to 
attack the most sensitive data and systems, which will destabilize the digital ecosystem 
if adapted strategies are not implemented. This expansion and diversification of the 
digital ecosystem must therefore be accompanied by institutional and regulatory 
innovations that will in some cases disrupt established practices and jurisdictions, and 
will be confronted with more or less intransigent manifestations of resistance. 

Recommendation no. 3: Initiate an in-depth consultation and reflection exercise to i 

j 

formulate proposals on how to restructure existing government institutions or create | 
new ones to adapt the Canadian government's intervention and coordination abilities to I 
the new needs. j 

Remember, the designers of the Internet never imagined that it would one day transmit 
such a large quantity of data (Hourcade et al., 2009: iv), or that this data would occupy 
such an important place in the workings of organizations and the daily life of individuals. 
The result is that each new trend identified in this report adds complexity to a global 
digital ecosystem already confronted with tremendous challenges in terms of technical 
capabilities, resilience and security. Any disruptive technology causes the appearance of 
new actors in the digital ecosystem and causes business or technologies that failed to 
successfully adapt to this development to disappear. From a cyber security perspective, 
this instability makes efforts at coordination more difficult by constantly introducing 
new organizational actors whose abilities and willingness to contribute to the security of 
the ecosystem as a whole are difficult for their partners and the regulatory authorities 
to assess (and mobilize). 

The transformation of the notion of privacy in particular risks creating some tensions 
between defenders of the existing protection regime (at least in Canada and Europe), 















the organizations with an insatiable appetite for their clients', users' or employees' 
personal data, and the authorities responsible for securing the digital ecosystem. If 
users can be expected to continue to value their privacy and to demand that public and 
private organizations use their personal information with proper judgment, it seems 
difficult to justify basing this effort to meet the needs of the 2020s on regulatory tools 
developed during the 1970s and 1980s. Technological development must be 
accompanied by less dogmatic and more empirical thought on the emerging social 
norms in terms of privacy and on the resulting socially acceptable and ethically 
responsible practices. Large groups such as Facebook or Google may determine 
unilaterally (and based on only their business interests) what will be the limits of privacy 
in 2020, but to base the preservation of privacy, a central component in an information 
society, on a legal architecture inherited from the industrial era is completely 
unsatisfactory. This seems especially true since the convergence of traditional 
computing and bioinformatics, already discussed regarding brain-computer interfaces, 
will expand the thinking on privacy and cyber security to the realms of biology and 
health and will raise sensitive issues regarding individual rights and ethics. 

Recommendation no. 4: Intensify empirical research on the transformations of risks, 
standards and practices associated with privacy protection in the digital ecosystem. 

The implications raised in this report concert primarily cyber security, but the 
omnipresence in our daily life of digital tools constantly connected via the mobile 
Internet, Internet of things or NFC payments, as well as their almost unlimited access to 
our personal data, will accelerate the convergence of cyber security problems with 
"classical" human or physical security problems. Better coordination between the actors 
responsible for law enforcement and prevention in very different areas of security will 
therefore be required. Since the current distinction between human security and cyber 
security is losing its meaning, local security institutions (primarily police services) that 
will no longer be able to evolve and redefine their mandate to integrate it into these 
two dimensions will certainly see their legitimacy questioned by the citizens they serve. 

Recommendation no. 5: Accentuate coordination and knowledge-transfer initiatives of 
national and provincial authorities in order to accelerate and standardize the 
development of local capabilities. 

Although we analyzed these nine trends based on a cyber security perspective, we must 
recall that the digital ecosystem has become not only indispensable to the proper 
functioning of the economy (via the integrity of financial transactions, for example), but 
it also plays a determining role regarding the research efforts carried out in other 
strategic technology sectors such as biotechnology, nano-technology or smart materials 
(Newton et Pfleeger, 2006: 188). In this respect, the security and stability of the digital 
ecosystem are indispensable conditions to maintaining Canada's technological 
competitiveness and capacity to innovate. 

The above explains why it will be imperative to find a balance between strengthening 
cyber security and maintaining Canada's technical innovation capabilities and economic 





competitiveness. As previously mentioned, in our opinion, the militarization of the 
Internet is a destabilizing factor in this delicate balance. The theory of responsive 
regulation of Ayres and Braithwaite (1992), \which envisions a gradation in the coercive 
level of control measures based on the severity of risks and the degree of cooperation of 
the actors involved, seems to be the best adapted to seeking this balance. 

Because of the forward-looking nature of this report, we discussed the following issue 
for none of the nine trends. But we could logically imagine that, in the event that 
democratic governments are unable to propose and implement satisfactory cyber 
security governance and control mechanisms, whether at the local, national or 
international scale, the open and distributed nature of the technologies described in this 
report, and their relatively affordable access costs could incite individuals or 
communities of hacktivists to promote self-defence and vigilante initiatives. These 
initiatives could thus increase further the insecurity and anarchy that reigns at the 
margins of the digital ecosystem. 

Finally, it would be counterproductive to take into consideration only the risks resulting 
from the trends examined in this report. As we illustrated in the case of brain-computer 
interfaces or quantum computing, some of these technologies also have a strong 
potential to improve Canadians' security, and these dual characteristics must be fully 
integrated into any cyber security planning. 
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Sonimaire executif 


En octobre 2010, le Gouvernement du Canada publiait sa strategie de cybersecurite, 
prenant acte de I'omnipresence des infrastructures numeriques, ainsi que des nouvelles 
vulnerabilites qui accompagnent cette evolution technologique. En raison des 
innovations constantes qui caracterisent le secteur numerique, et afin d'y repondre de 
maniere appropriee, toute strategie de cybersecurite doit s'accompagner d'un exercice 
de prospective visant a anticiper les tendances technologiques, culturelles et criminelles 
emergentes. 

Ce rapport identifie neuf tendances technologiques emergentes a partir de 21 
documents de prospective technologique publics par des entreprises specialisees et des 
organismes publics. Ces tendances regroupent des technologies ayant le potentiel de 
transformer durablement I'ecosysteme numerique, que nous definissons comme 
I'ensemble des infrastructures, des applications logicielles, des contenus et des 
pratiques sociales qui en determinent les modes d'utilisation. La notion d'ecosysteme 
nous permet d'examiner de maniere integree les interactions entre les dimensions 
technique, economique, sociale, politique et juridique de cet assemblage complexe. 

Ces neuf tendances sont: 

1. L'informatique dans les nuages 

2. La massification des donnees 

3. L'internet des objets 

4. L'internet mobile 

5. Les interfaces neuronales directes 

6. Les paiements sans contact 

7. La robotique mobile 

8. L'informatique quantique 

9. La militarisation de l'internet 

L'analyse des caracteristiques et des moteurs de developpement de chacune des neuf 
tendances a ete effectuee a I'aide d'une recension de la litterature scientifique et du 
contenu de sites internet specialises dans les nouvelles technologies. Le degre de 
maturite et de diffusion parmi les utilisateurs professionnels et le grand public varient 
fortement d'une tendance a I'autre. Si l'informatique dans les nuages ou l'internet 
mobile font deja partie de notre quotidien de consommateurs, l'informatique quantique 
reste encore a un stade de developpement theorique embryonnaire et la mise sur le 
marche d'applications pratiques ne se fera pas avant au moins une dizaine d'annees. En 
ce qui concerne les moteurs de developpement, plusieurs categories distinctes ont ete 
^ identifiees, notamment les moteurs scientifiques, industriels, economiques, sociaux, 
juridiques et strategiques. Finalement, chaque tendance a fait I'objet d'une analyse de 
ses implications pour la cybersecurite. Parmi les implications qui apparaissent le plus 
frequemment, figurent la multiplication des opportunites d'attaques malveillantes, 
I'absence de prise en compte des besoins de securite lors du developpement des 
technologies concernees, m§me lorsque ces dernieres sont utilisees pour effectuer des 



transactions financieres, la dilution des mecanismes de controls de I'integrite des 
systemes, due a {'interconnexion toujours plus poussee des machines, ou encore 
I'erosion de la vie privee des utilisateurs, dont les informations personnelles 
representent pour les organisations une source irresistible de valeur ajoutee. 

Quelques thematiques transversales aux neuf tendances sont egalement abordees en 
conclusion. II s'agit de I'interdependance des technologies examinees, qui exigera la 
mise en oeuvre de politiques de securite integrees afin d'eviter une fragmentation 
contreproductive des ressources, de I'expansion et de la diversification de I'ecosysteme 
numerique, qui va egalement necessiter des politiques de coordination elaborees, de la 
transformation de la notion de vie privee, de la convergence des problemes de 
cybersecurite et de securite humaine, de {'indispensable equilibre entre des mesures de 
cybersecurite adequates et le maintien d'une competitivite economique et 
technologique qui repose sur une certaine liberte reglementaire, des risques de voir des 
groupes d'individus adopter des pratiques d'autodefense en cas de defaillance etatique, 
ou enfin des contributions positives de certaines des neuf tendances a la cybersecurite. 

Les cinq recommendations suivantes viennent dans cette derniere section traduire en 
gestes concrets les constats dresses dans ce rapport. 

1. Concevoir et deployer une methodologie et des outils de veille permanents dont 
I'objectif sera de suivre {'evolution de I'ecosysteme numerique, d'en cartographier 
les divers acteurs, les interactions, et d'evaluer les implications de ces 
transformations sur la cybersecurite. 

2. Aligner les regimes reglementaires applicables aux diverses infrastructures, 
applications et contenus avec les ressources et les strategies mises en oeuvre par un 
nombre croissant d'acteurs gouvernementaux, ainsi que leurs partenaires prives, 
afin de deceler rapidement les risques numeriques emergents et limiter leur impact 
sur un ecosysteme en constante evolution. 

3. Engager un exercice de consultation et de reflexion approfondi destine a 
formuler des propositions sur la restructuration des institutions gouvernementales 
existantes ou la creation de nouvelles institutions, afin d'adapter les capacites 
d'intervention et de coordination du gouvernement canadien aux nouveaux 
besoins. 

4. Intensifier les recherches empiriques sur les transformations des risques, des 
normes et des pratiques reliees a la protection de la vie privee dans I'ecosysteme 
numerique. 

5. accentuer les initiatives de coordination et de transferts de connaissances des 
autorites nationales et provinciales afin d'accelerer et de standardiser le 
developpement des capacites locales. 
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Introduction et contexte 


En octobre 2010, le Gouvernement du Canada rendait publique sa strategie de 
cybersecurite, prenant acte de I'omnipresence des infrastructures numeriques dans la 
vie quotidienne des usagers, des entreprises et des institutions publiques, ainsi que des 
nouvelles vulnerabilites qui accompagnent cette evolution technologique. 

En raison des innovations constantes qui caracterisent le secteur numerique, et afin d'y 
repondre de maniere appropriee, toute strategie de cybersecurite doit s'accompagner 
d'un exercice de prospective visant a anticiper les tendances technologiques, culturelles 
et criminelles emergentes. La velocite de ^innovation dans le secteur numerique est 
pour une large part attribuable a la frequence d'apparition de technologies de rupture 
(disruptive technologies), qui redefinissent constamment les proprietes de ce marche et 
exploitent de nouvelles opportunites dans des marches moins dynamiques, ou creent 
tout simplement de nouveaux marches. Le terme « technologie de rupture » a ete 
employe pour la premiere fois par Clayton Christensen (1997) afin d'analyser des 
innovations qui ne se contentent pas d'ameliorer la performance des technologies 
existantes (ce sont alors des technologies de continuite), mais qui definissent plutot des 
produits ou services entierement nouveaux afin de repondre a des besoins inassouvis, 
et transforment par consequent durablement le paysage technologique dans lequel ils 
s'inscrivent. Mais cette notion de technologie de rupture peut s'appliquer a n'importe 
quel secteur d'activite, et elle ne permet pas a elle seule d'expliquer pourquoi le secteur 
numerique est si fertile en ce domaine. 

Ce sont plutot les travaux de Yochai Benkler (2006) sur la richesse des reseaux qui nous 
permettent de comprendre pourquoi ce secteur semble plonge dans une revolution 
permanente. Ce dernier postule en effet que les technologies numeriques sont a 
I'origine d'un nouvel ecosysteme informationnel, dont la principale propriete est qu'il 
serait beaucoup moins expose aux contraintes financieres que ses predecesseurs. En 
effet, alors qu'une concentration de capitaux etait requise a I'ere industrielle pour 
produire et diffuser de I'information, la decentralisation radicale que permettent les 
reseaux techniques et sociaux contemporains permettrait d'abaisser les couts d'entree 
-et done d'innovation- pour les nouveaux acteurs de I'ere numerique (Benkler, 2006: 
32), ce qui favoriseraient done I'emergence selon des intervalles de plus en plus courts 
de technologies de rupture. 

La combinaison de ces deux axes de reflexion nous semble particulierement stimulante, 
car elle nous permet d'envisager des formes d'innovation spontanees provenant des 
usagers eux-memes ou d'acteurs consideres comme marginaux, a I'image des fraudeurs, 
des pirates informatiques ou des hacktivistes. La proliferation des technologies de 
rupture multiplierait done le nombre de breches (Killias, 2006), qui seraient alors 
exploitees par les delinquents sans etre detectees des autorites pendant un certain 
temps, avant de donner lieu a des reponses policieres et penales plus systematiques 
une fois un seuil de gravite franchi. 




Nous tenterons done dans ce rapport d'identifier, a partir des technologies de rupture 
qui devraient atteindre leur maturite au cours des dix prochaines annees, quelles 
breches sont susceptibles d'affecter la cybersecurite des citoyens, des entreprises et des 
institutions canadiennes. Cette approche se concentre done sur devolution a moyen 
terme de I'ecosysteme numerique, et sur les adaptations qu'elle provoquera de la part 
des delinquents, plutot que sur des predictions hasardeuses basees sur I'etat actuel de 
la cybercriminalite. 

Methodologie 

Neuf tendances sociotechniques et socioeconomiques ont ete identifiees a partir d'une 
recension de 21 rapports de prospective technologique publics par des entreprises 
comme Gartner Research, IBM ou PricewaterhouseCoopers, et des organismes publics 
comme le Ministere franfais de I'industrie ou le Foresight Horizon Scanning Centre du 
Royaume Uni, qui ont developpe une expertise internationale dans ce domaine. La liste 
de ces documents ou sites de prospective figure dans I'annexe 1. 

Ces tendances regroupent des technologies emergentes ayant le potentiel de 
transformer durablement I'ecosysteme numerique, que nous definissons comme 
I'ensemble des infrastructures, des applications logicielles, des contenus et des 
pratiques sociales qui en determinent les modes d'utilisation (et par extension 
d'encadrement). La notion d'ecosysteme nous permet d'examiner de maniere integree 
les interactions entre les dimensions technique, economique, sociale, politique et 
juridique de cet assemblage caracterise par la complexite. Chaque tendance reunit des 
technologies de rupture convergentes qui sont rendues possibles par des percees 
scientifiques ou de nouvelles manieres de combiner ou d'utiliser des technologies 
existantes. II ne s'agit pas a ce titre de tendances generales purement fonctionnelles, 
comme le sont la «convergence des infrastructures» ou « I'identification et 
I'authentification personnelles » (Cave et al., 2009 : 5), mais plutot de developpements 
socio-techniques suffisamment bien definis pour correspondre a des acteurs industriels 
et commerciaux et a des usages legaux ou illicites parfaitement identifiables. 

Les neuf grandes tendances ont ete classees par ordre de frequence d'apparition dans 
les rapports de prospective. Ceux qui font I'objet d'un large consensus ou qui semblent 
plus pres d'atteindre leur maturite figurent en haut de la liste : 

1. L'informatique dans les nuages (cloud computing) - 15 mentions 

2. La massification des donnees (big data) -12 mentions 

3. L'internet des objets (internet of things) - 9 mentions 

4. L'internet mobile (mobile internet) - 7 mentions 

5. Les interfaces neuronales directes (brain-computer interface) - 7 mentions 

6. Les paiements sans contact (near field communication (NFC) payment) - 5 
mentions 

7. La robotique mobile (mobile robots) - 3 mentions 

8. L'informatique quantique (quantum computing) - 3 mentions 




9. La militarisation de I'internet (internet weaponization)* 

Une fois ces neuf tendances identifiees, une recherche plus systematique fut lancee 
pour chacune d'entre elles dans les principales bases de donnees scientifiques relevant 
des quatre disciplines suivantes : informatique, criminologie, sociologie, et gestion. Les 
bases de donnees consultees incluent: ProQuest (1.560 revues), Factiva (31.000 sources 
d'information), Web of Science (ISI) (8.500 revues), Business Source Premier (EBSCO) 
(1.125 revues), ScienceDirect (1.700 periodiques), SpringerLink (1.250 periodiques), 
NGRS (210.000 publications indexees sur les questions de justice criminelle) and SSRN 
(665.000 articles scientifiques en prepublication). Ces bases de donnees ont ete 
consultees a I'aide du meta-moteur de recherche Maestro developpe par I'Universite de 
Montreal. Des sites internet specialises dans les technologies emergentes et I'analyse de 
leurs implications sociales ont egalement ete consultes, parmi lesquels Wired, 
ArsTechnica, O'Reilly Radar ou le MIT Technology Review, pour n'en citer que quelques 
uns. 

Ce rapport presentera pour chacune des neuf tendances les elements qui nous ont 
semble comme les plus significatifs dans les textes consultes. Cheque tendance fait 
d'abord I'objet d'une rapide presentation technique et historique qui en retrace 
I'origine (si celle-ci fait I'objet d'un consensus) et les principales etapes de 
developpement. L'evolution recente de cette tendance est ensuite decrite, qu'il s'agisse 
de percees technologiques accelerant son developpement et ses applications 
commerciales, d'investissements majeurs realises par des interets publics ou prives, ou 
encore de comportements sociaux nouveaux qui soutiennent une tres large diffusion de 
la technologic parmi les utilisateurs. La presence ou I'absence des principaux moteurs 
(drivers)^ qui semblent influencer les tendances identifiees sont ensuite examinees, afin 
de comprendre comment les besoins sociaux, les conditions economiques, les decisions 
gouvernementales ou encore le developpement de nouvelles connaissances 
scientifiques pourraient accelerer ou ralentir I'emergence de ces technologies. Enfin, 
une analyse des implications en matiere de cybersecurite vient conclure I'etude de 
chaque tendance, qu'il s'agisse de I'apparition de vulnerabilites particulieres aisement 
exploitables par les delinquents ou d'enjeux plus generaux en matiere de regulation des 
acteurs directement ou indirectement responsables de la securite des infrastructures 
numeriques. 


‘ Cette derniere tendance n'est mentionnee dans aucun des 21 rapports, qui se concentrent sur les 
innovations technologiques, mais elle decoule de nos observations et de la divulgation des initiatives de 
pius en plus nombreuses prises par les Etats dans ce domaine. Elle nous semble done meriter sa place 
dans cette etude de prospective. 

^ Silberglitt et'^al. (2006 : 41-54) recensent ainsi les dix moteurs majeurs qui influencent la plupart des 
technologies. II s'agit des couts financiers, du cadre juridique et politique, des valeurs sociales de I'opinion 
publique, des infrastructures, des preoccupations pour le respect de la vie privee, des facteurs 
environnementaux, des investissements en recherche et developpement, du niveau d'education et 
d'alphabetisme (literacy), des facteurs demographiques, et de la gouvernance et de la stabilite politique. 




Cette methodologie a ete optimisee pour repondre a de fortes contraintes de temps et 
de ressources, ce qui explique notamment pourquoi elle repose exclusivement sur des 
donnees documentaires. La methodologie elaboree par la Rand Corporation afin 
d'anticiper I'impact des nouvelles technologies sur les affaires internationales a I'horizon 
2020 est une alternative beaucoup plus couteuse, qui permet toutefois d'approfondir de 
maniere plus systematique I'impact de ces tendances technologiques. Un indicateur 
chiffre unique mesure pour chaque tendance la faisabilite technique (probabilite que la 
technologic soit commercialisable), la facilite d'implantation (difference nette entre les 
moteurs et les freins non techniques a I'implantation, comme la demande, les coCits 
d'acquisition, les politiques publiques, les besoins en infrastructures, et le cadre 
reglementaire), et le degre de diffusion (global ou modere). Le score de chaque 
tendance est ensuite pondere en fonction des pays, afin de refleter les capacites 
differentielles de chaque nation a s'approprier des technologies emergentes afin de 
resoudre des problemes economiques, politiques et sociaux (comme le developpement 
durable, I'independance energetique, la sante publique, le maintien de capacites de 
defense credibles, etc.) (Silberglitt et al., 2006). Une methodologie semblable, adaptee 
aux questions de cybersecurite et mise a jour a intervalles reguliers de cinq annees, 
produirait certainement des predictions mieux etayees et un classement plus fiable des 
tendances susceptibles de generer de profondes transformations. 

Nous mettons enfin le lecteur en garde sur la nature hypothetique des transformations 
presentees dans les pages qui suivent, puisque le propre des technologies de rupture est 
d'etre difficile a anticiper. Dans la mesure ou I'objectif est de cartographier les 
tendances qui seront determinantes au cours des dix prochaines annees, on ne sera pas 
surpris de retrouver dans cette etude des arguments qui relevent de la speculation, 
meme si elles sont inspires par les travaux de chercheurs reputes qui publient dans des 
revues a comites de pairs ou d'experts unanimement reconnus. 



Informatique dans les nuages 

L'apparition de ce terme^ dans le langage scientifique ne fait pas consensus (Choo, 
2010). Certains estiment qu'il aurait ete employe pour la premiere fois par Eric Schmidt, 
un haut responsable de Google, en 2006, alors que d'autres suggerent que cette 
terminologie etait utilisee des les annees 1990 par le secteur des telecommunications, 
lorsque les reseaux prives virtuels (VPN) furent crees afin de rendre les transferts de 
donnees plus efficaces. Le concept de logiciel en tant que service (Software as a Service 
ou SaaS en anglais) s'est egalement rapidement repandu des la fin des annees 1990, 
sans que le terme d'informatique dans les nuages y soit pour autant rattache. 

La definition de reference de I'informatique dans les nuages nous est fournie par le 
National Institute of Standards and Technology (NIST): 

A model for enabling convenient, on-demand network access to a shared 
pool of configurable computing resources (e.g. networks, servers, storage, 
applications, and services) that can be rapidly provisioned and released with 
minimal management effort or service provider interaction. (Mell et Grance, 
2011 : 2 ) 

Ce modele se caracterise done par I'acces a des ressources materielles potentiellement 
illimitees qui ne necessitent aucun investissement en amont de la part des usagers, 
puisque ceux-ci sont assumes par des tierces parties, et qui s'averent d'une tres grande 
elasticite pour repondre aux besoins informationnels fluctuants des organisations (Chen 
et al., 2010 : 4). Le paiement se fait en effet a la minute ou a I'heure, en fonction de la 
consommation, sur le meme modele que I'electricite, I'eau ou le telephone, ce qui 
permet une «variabilisation» des couts (MEFl, 2011: 67). Par ailleurs, les 
responsabilites et contraintes reliees a la maintenance du service sont entierement 
laissees a la charge du fournisseur, I'usager n'ayant besoin que d'un acces a internet 
(Foresight Horizon Scanning Centre, 2010:144). 

Quatre configurations d'informatique dans les nuages sont habituellement recensees, 
selon le degre d'exclusivite dans I'acces aux infrastructures materielles : les ressources 
peuvent etre publiques, partagees par un groupe reduit d'organisations, privees, ou 
bien hybrides, lorsque les entreprises ont recours a un melange de solutions publiques 
et proprietaires (Mell et Grance, 2011: 2; Fenn et LeHong, 2011: 39). 

Evolution de la techiiologie 

Les diverses evaluations de la taille du marche de I'informatique dans les nuages laissent 
entrevoir des niveaux de croissance a deux chiffres au cours des prochaines annees. Les 
revenus mondiaux relies aux services d'informatique dans les nuages s'elevaient a 68,3 
milliards de dollars en 2011 et devraient doubler pour atteindre 148 milliards en 2014 


^ Le Commissariat a la protection de la vie privee du Canada (2011) a choisi d'utiliser plutdt le neologisme 
d'infonuagique. 
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(Foresight Horizon Scanning Centre, 2010: 146). Quelques acteurs dominants dans ce 
secteur, comme Amazon et Google, realiseront en 2012 un chiffre d'affaires avoisinant 
un milliard de dollars US (Gens, 2011: 4), ce qui en fera des fournisseurs majeurs de 
services aux entreprises. Cisco et IDC estiment de maniere plus optimiste qu'en 2020, le 
tiers des donnees informatiques seront stockees ou transiteront par des systemes 
administres dans les nuages, et que I'explosion de ce marche pourrait generer des 
revenus superieurs a un trillion'* de dollars d'ici 2014 (Gantz et Reinsel, 2010; Nash, 
2011 ). 

Le secteur public sera aussi affecte par cette tendance, puisque le gouvernement 
americain estime que d'ici 2015, ses depenses budgetaires annuelles reliees a I'achat de 
services d'informatique dans les nuages atteindront sept milliards de dollars (Kaufman, 
2009 : 62). Le Ministere fran?ais de I'economie, qui evalue la part de I'informatique dans 
les nuages a 20%-25% de I'ensemble du marche informatique en 2020, estime quant a 
lui que les gouvernements qui desireront rester competitifs dans ce domaine devront 
consentir des investissements aussi importants de ceux accordes aux industries 
traditionnelles comme I'automobile, et il prevoit d'injecter 780 millions d'euros dans 
cette technologie au titre des investissements d'avenir (MEFI, 2011: 67). 

Ce marche n'est d'ailleurs pas uniquement reserve aux entreprises ou aux 
gouvernements, puisque des services grand public comme DropBox proposent des outils 
abordables (parfois meme gratuits) de partage de documents ou de synchronisation 
simultanee des donnees sur plusieurs appareils numeriques (Webbmedia Group, 2011 : 
14), et que Netflix ne pourrait pas commercialiser de films par diffusion video en temps 
reel (streaming) sans s'appuyer sur les capacites techniques de I'informatique dans les 
nuages (Webb, 2011). 

Moteurs de developpeiiient 

Le premier moteur est d'ordre technique. L'informatique dans les nuages repond a une 
demande tres forte de la part des sites de socialisation en ligne, qui s'en servent comme 
levier de croissance face a une explosion du nombre d'utilisateurs (plus de 800 millions 
dans le cas de Facebook). La proliferation des sites offrant des contenus videos et 
mobiles contribue aussi a I'essor de I'informatique dans les nuages, car elle leur permet 
de gerer avec agilite I'augmentation exponentielle des volumes de donnees devant etre 
accessibles en tous lieux et en tout temps. 

Le second moteur de developpement est d'ordre financier. La flexibilite inegalee que 
I'informatique dans les nuages promet aux entreprises utilisatrices, ainsi que les 
economies realisees, aussi bien sur les depenses de fonctionnements qu'au chapitre des 
investissements, en font une proposition allechante, particulierement en cette periode 
de turbulences financieres (IBM, 2011 : 8). 


“ Mille milliards dans I'echelle courte en vigueur aux ftats-Unis et au Canada. 





Implications pour la cybersecurite 

L'informatique dans les nuages procure de nombreux avantages aux entreprises, mais le 
succes commercial espere a quelque peu occulte le debat sur les questions de 
cybersecurite. 

II sera notamment necessaire de clarifier I'encadrement reglementaire de la propriete 
des donnees, puisque celles-ci seront hebergees sur les machines des fournisseurs et 
non plus sur les machines ou les reseaux de leurs proprietaires. Les responsabilites de 
chacune des parties en matiere de protection de la vie privee et de conformite aux 
obligations reglementaires devront faire I'objet d'une attention particuliere (Kaufman, 
2009 : 62), notamment en ce qui concerne la circulation et le stockage transfrontaliers 
des donnees, qui ne pourra s'affranchir des regimes reglementaires nationaux 
(Commissariat a la protection de la vie privee du Canada, 2011; Helmbrecht et al., 2011: 
8). Dans le meme ordre d'idee, la possibilite que des fournisseurs malhonnetes de ces 
services volent les informations confidentielles de leurs clients afin de les revend re a des 
competiteurs n'est pas a exclure (Chen et al., 2010). 

Les adeptes de l'informatique dans les nuages seront confrontes a une perte de controle 
sur la nature et I'efficacite des solutions de securite deployees, dans la mesure ou ces 
decisions reposent entre les mains des fournisseurs de service qui ne disposent pas tous 
des memes capacites de protection que les leaders du marche comme Google ou 
Amazon. II sera concretement difficile, voire impossible, pour les utilisateurs de 
s'assurer de la mise en oeuvre effective des mesures de securite promises (Cattedu et 
Hogben, 2009). La confidentialite des donnees risque ainsi de devenir plus difficile a 
assurer dans cette configuration. 

Cela est d'autant plus vrai que I'architecture particuliere de l'informatique dans les 
nuages cree une vulnerabilite accrue aux actes de malveillance ou aux defaillances 
internes des administrateurs ou des utilisateurs privilegies, qui vont concentrer entre 
leurs mains un pouvoir inegale sur de grandes quantites de donnees. II sera toutefois 
plus difficile pour les utilisateurs externes d'evaluer la competence et la fiabilite de ces 
administrateurs (Rocha et al., 2011: 45), qui pourront egalement causer des dommages 
dont la gravite sera plus elevee, en raison de la quantite de donnees sous leur 
responsabilite. 

Face a des risques criminels, naturels ou accidentels, l'informatique dans les nuages cree 
une interdependence accrue des victimes hebergees sur une meme plateforme. En 
effet, si un pirate s'infiltre dans les systemes d'une entreprise offrant des services 
d'informatique dans les nuages, ce sont potentiellement tous les clients de cette 
organisation qui deviennent exposes a cette menace (Choo, 2010 : 2; Cloud Security 
Alliance, 2010 : 11). D'autre part, si le fournisseur de services est oblige pour une raison 
ou une autre (catastrophe naturelle, piratage, defaillance technique, perquisition ou 
saisie...) d'interrompre le fonctionnement de ses serveurs, et a moins qu'il ne dispose 
d'une infrastructure de redondance immediatement disponible, ses clients perdront 
I'acces a leurs donnees jusqu'a ce que la situation soit retablie, et verront leur 
performance degradee ou leur survie menacee. 
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Certains chercheurs evoquent egalement I'utilisation criminelle qui pourrait etre faite de 
ces capacites techniques par les pirates et les fraudeurs, afin de mobiliser leur puissance 
de calcul considerable pour mener des attaques et echapper a la surveillance des 
organisations de securite. D'apres I'agence de presse Bloomberg, le reseau dans les 
nuages d'Amazon {connu sous le nom d'EC2 pour Elastic Compute Cloud) aurait ainsi ete 
utilise par des pirates au debut de I'annee 2011 pour attaquer les ordinateurs de 
I'entreprise Sony et s'emparer des donnees personnelles de plusieurs dizaines de 
millions de ses clients (Alpeyev, Galante et Yasu, 2011). Au debut de la meme annee, un 
chercheur en securite allemand a devoile un logiciel permettant de casser les mots de 
passe des reseaux sans fil proteges en utilisant le service EC2 d'Amazon pour tester plus 
de 400.000 possibilites par seconde (Thomas, 2011). Des producteurs et de 
consommateurs de pornographie juvenile pourraient finalement etre amenes a utiliser 
ces capacites afin de mieux proteger leurs transactions (Biggs et Vidalis, 2009 : 4; Choo, 
2010 ; 4); 

En cas de litige juridique ou d'enquete criminelle, le recours a des services 
d'informatique dans les nuages introduit un degre de complexite additionnel lors des 
investigations, notamment en ce qui concerne la preservation et I'analyse de la preuve 
(Butler Curtis et al., 2010 : 2). En effet, I'informatique judiciaire (digital forensic 
investigations) repond a un cadre procedural rigoureux devant permettre I'admissibilite 
des preuves recueillies devant un tribunal, et parfois un jury. Les principes relatifs a la 
chafne de possession (chain of custody), qui doivent garantir la provenance de la 
preuve, sont par example quasiment impossibles a respecter pour I'informatique dans 
les nuages, ou les donnees sont souvent stockees hors du controle des enqueteurs. Les 
metadonnees et les informations contenues dans les journaux informatiques sont 
egalement tres difficiles a obtenir dans les nuages, alors qu'elles fournissent aux 
enqueteurs des informations essentielles sur les activites des suspects (Reilly et al., 
2010 ; 6). Des protocoles adaptes a cette nouvelle realite technologique devront done 
etre developpes par les organismes d'application de la loi, en collaboration avec les 
acteurs prives qui fournissent ces services. 

Conscients de I'impact des questions de securite sur la viabilite commerciale de leur 
offre de services, les principaux fournisseurs se sont d'ailleurs regroupes au sein de la 
Cloud Security Alliance^ afin de concevoir des normes et standards de securite 
uniformes a toute I'industrie. Cependant, cette demarche est menee de maniere 
autonome, sans consultation des autorites gouvernementales des principaux pays 
concernes, ce qui ne favorise pas reellement I'emergence de partenariats ou de reseaux 
de securite robustes. 


^ https://cloudsecuritvalliance.org/ . 
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Massification des donnees 


Le terme « donnees massives » (big data) reflete I'apparition ces dernieres annees de 
fichiers de donnees (datasets) contenant des volumes gigantesques d'informations non 
structurees ou disparates. Les unites de mesure utilisees pour quantifier ces volumes de 
donnees ne sont plus le gigabit ou le terabit, mais le peta-, I'exa-, voire le zettabit (10^^ 
bits). L'entreprise IDC estime ainsi qu'en 2011, la quantite mondiale d'informations 
creees et echangees sur des supports numeriques (I'univers numerique) equivalait a 1,8 
zettabits, et qu'elle serait multipliee par vingt d'ici 2020 pour atteindre 38 zettabits 
(Gantz et Reinsel, 2011). 

Evolution de la techiiologie 

Pour les entreprises, ces flux massifs et a tres haute velocite prennent la forme de 
donnees relationnelles internes emanant des interactions avec les clients ou les 
fournisseurs via les sites internet ou les centres d'appel, de resultats de sondages et 
d'enquetes demographiques, de coordonnees de geolocalisation mises a jour en temps 
reel, de toute information produite par un equipement numerique (voir la section sur 
I'internet des objets), mais aussi de contenus externes provenant des sites de 
socialisation en ligne (social media). La volumetrie et la diversite des donnees traitees 
empechent que les techniques traditionnelles d'analyse soient utilisees, et on doit done 
faire appel a des solutions specialisees qui s'appuient sur des outils informatiques et 
statistiques de pointe (technique de programmation Hadoop MapReduce, langage R 
pour les analyses statistiques et la visualisation), a des infrastructures confues 
expressement pour de tels usages (bases de donnees NoSQL, bases de donnees 
massivement paralleles ou massively parallel processing, reseaux a tres haut debit) et a 
des analystes disposant de competences transversales en informatique et en statistique 
(Asthana, 2011). 

Plutot que d'analyser les donnees de maniere selective, les techniques de massification 
des donnees adoptent une approche globale en traitant simultanement I'ensemble des 
donnees a la disposition d'une organisation en temps quasi-reel (Fenn et LeHon, 2011 : 
6), afin d'en extraire des connaissances nouvelles. Cette valeur cachee decoule de 
I'identification de details infimes dans un ocean de donnees (la proverbiale aiguille dans 
la botte de foin) qui annoncent des tendances emergentes ou des sources de profits 
inexploitees (Manyika et al., 2011). Le principal attrait de la massification des donnes est 
en effet d'articuler a une echelle inedite des informations qui etaient auparavant 
apprehendees separement, comme des donnees disparates sur un meme individu, sur 
des reseaux d'individus, sur des communautes, sur des comportements collectifs ou 
encore sur des phenomenes naturels (Boyd et Crawford, 2011). Gartner estime que les 
entreprises qui maTtriseront cette panoplie de techniques realiseront en 2015 des 
benefices surpassant de 20% ceux de leurs concurrents moins bien prepares (Fenn et 
LeHon, 2011: 20). Parmi les utilisateurs les plus intensifs de ces techniques a I'heure 
actuelle, figurent IBM, Facebook, Google, ou encore Walmart. Les agences de 
renseignement, les institutions financieres, les compagnies d'assurance, les entreprises 



de marketing ou les operateurs de telecommunication sont egalement a la pointe de 
cette tendance technologique de gestion « extreme » de I'information (Gruman, 2010 : 
12; Banerjee et al., 2011). 

Moteurs de developpeinent 

Le premier moteur de developpement est social, puisque les volumes de donnees 
generes par de nouvelles pratiques de sociabilite vont connaitre une croissance 
exponentielle au cours des prochaines annees. Tout d'abord, les medias sociaux, qui 
sont en train de devenir le moyen de communication dominant (ayant recemment 
supplante le courrier electronique), et un outil privilegie d'organisation et de mise en 
valeur de la memoire personnelle des individus, generent d'immenses quantites de 
donnees, qu'il s'agisse de messages personnels ou collectifs, de mises a jour des 
differents statuts (localisation, emotions, etat matrimonial, occupations 
professionnelles, loisirs, etc.) ou de photos partagees avec des « amis ». Ces montagnes 
de donnees devront etre analysees de maniere sophistiquee par les entreprises qui 
mettent ces plateformes a la disposition des utilisateurs afin de les valoriser aupres des 
annonceurs publicitaires. Par ailleurs, la pratique de plus en plus repandue de la 
quantification de soi (quantified self), qui preconise I'enregistrement systematique des 
donnees personnelles dans un objectif d'amelioration des performances physiques ou 
intellectuelles, contribue egalement a augmenter la quantite de donnees numeriques 
pouvant faire I'objet d'analyses a tres grande echelle (Webbmedia Group, 2011). 
Finalement, le mouvement mondial qui prone le libre acces aux donnees des 
administrations publiques (open government data), et qui connait un succes grandissant 
dans certains pays, au premier rang desquels figure les ^tats-Unis, le Royaume Uni et 
dans une moindre mesure le Canada, va probablement alimenter les outils de 
traitement massif des donnees. A titre d'exemple, le site americain data.gov met a la 
disposition des internautes plus de 390.000 fichiers de donnees librement exploitables, 
alors que le site canadien datadotgc.ca (maintenu par de simples citoyens) propose plus 
modestement 523 fichiers de donnees. 

Dans le monde des affaires, on assiste depuis quelques mois a la creation de marches 
des donnees (data marketplaces) permettant aux entreprises d'acceder aux donnees 
d'autres organisations publiques ou privees afin de renforcer la puissance analytique de 
leurs outils. Microsoft vient ainsi de lancer ce type initiative pour sa plateforme Azure®, 
et offre ou loue I'acces a 118 bases de donnees contenant plusieurs trillions d'entites. 
Des outils de visualisation de plus en plus performants vont egalement permettre aux 
organisations d'explorer et d'expliquer les donnees massives en leur possession de 
maniere plus intuitive, ce qui va decloisonner I'utilisation de ce type d'analyses qui 
etaient jusque la reservees a un petit groupe d'experts et en accelerer I'adoption au sein 
des organisations (Dumbill, 2011). Enfin, I'interpenetration croissante entre le monde 
des entreprises et celui de la recherche, en informatique mais aussi en sciences sociales. 


^ https://datamarket.azure.com/ . 






va favoriser les collaborations autour de I'utilisation des donnees massives et permettre 
de nouvelles innovations dans ce domaine (Boyd et Walker, 2011). 

Sur le plan technique, la croissance de I'internet des objets, que nous analyserons dans 
la section suivante, va egalement directement contribuer a I'explosion de la quantite de 
donnees recueillies par les organisations et des possibilites d'analyses novatrices qui en 
decouleront. 

Implications pour la cybersecurite 

Un nombre croissant d'entreprises et d'organisations voient le potentiel commercial 
que la revente de telles quantites de donnees peut generer, et elles cherchent a en tirer 
une source additionnelle de revenus. De grandes institutions financieres ont ainsi 
commence a commercialiser les donnees reliees aux transactions par carte de paiement 
de leurs clients (magasins frequentes et produits achetes) (Banerjee et al., 2011). En 
Hollande, un fournisseur de solutions de localisation par GPS a egalement vendu les 
donnees geocodees des deplacements de ses usagers a des agences gouvernementales, 
dont un service de police, qui s'en est servi pour planifier I'installation optimale de 
radars automatises de vitesse (Lasar, 2011). Ce marche secondaire des donnees 
massives expose neanmoins la vie privee des clients et des usagers a des intrusions 
indesirables et souleve des problemes ethiques importants. Par exemple, le croisement 
de fichiers de donnees massives permet de desanonymiser avec un degre suffisamment 
eleve de confiance des fragments d'information en apparence anodins (Acquisti et al., 
2011). Ce deluge ininterrompu de donnees rend aussi particulierement difficile 
I'exercice des mecanismes traditionnels de controle de la vie privee auxquels les 
organisations, les individus et les autorites regulatrices ont presentement recours. En 
effet, dans un tel environnement, comment arriver a determiner avec certitude quels 
types de donnees sont collectees et detenues, avec quel degre de precision et de 
fiabilite, ou encore quelles sont les politiques de retention, d'echange, de 
commercialisation et de destruction mises en ceuvre (Newton et Pfieeger, 2006 :180)? 

Dans un tel contexte, des mecanismes automatises de protection de la vie privee 
(privacy by design) et de gestion des acces devront certainement etre confus afin que 
les usagers et les entreprises puissent reprendre le controle et gerer de maniere 
responsable les quantites massives de donnees qu'ils generent (parfois sans le savoir) et 
qui deviennent dorenavant exploitables (Hourcade et al., 2009 : 31; Jonas, 2011). 
Certaines initiatives destinees aux individus comme les applications MyPermissions^, 
ThinkUp®, ou le Locker Project®, et les applications Accumulo, developpee en source 
ouverte (open source) par la National Security Agency (Jackson, 2011), et Infosphere 
Sensemaking, developpee par IBM (Jonas, 2011 : 15), illustrent la forme que pourraient 
prendre ces outils. 


^ http://mvpermissions.org/ . 

^ http://thinkupapp.com/ . 

* http://lockerproiect.org/ . 







Si I'analyse des donnees massives souleve un certain nombre de problemes techniques, 
assurer leur securite presente egalement de nombreux defis. Le cryptage de I'ensemble 
des donnees n'est pas une solution envisageable a une telle echelle, en raison des 
contraintes techniques que cela represente, et seules les informations les plus sensibles 
peuvent faire I'objet d'un tel traitement. Ces donnees doivent cependant etre 
decryptees lors de chaque analyse, afin de permettre les croisements, ce qui expose ces 
informations de maniere plus frequente et plus massive a des menaces criminelles. On 
devra done accelerer le developpement de techniques de chiffrement qui permettent 
de manipuler et d'analyser les donnes sans avoir a les decrypter. Ces techniques 
novatrices de cryptographie protegent I'integrite des donnees tout en conservant leur 
format initial {format-preserving encryption) (Spies, 2008). 

Les plateformes techniques utilisees pour analyser les donnees massives sont encore 
relativement peu matures et n'ont pas ete congues a I'origine pour offrir des niveaux de 
securite eleves, puisqu'il s'agissait principalement d'etudier des donnees ouvertes (open 
data). Les organisations qui decident d'exploiter cette technologie devront done 
acquerir ou developper des solutions de securite additionnelles qui resteront toujours 
moins robustes qu'une approche plus integree (security by design) (Lane, 2011). 

Le processus d'amalgamation et de reutilisation des donnees pour des analyses 
repetees engendre egalement un phenomene de proliferation qui fait en sorte que la 
tra?abilite des donnees, et particulierement celles qualifiees de sensibles, devient de 
plus en plus difficile a etablir. Cela multiplie done les vulnerabilites et les opportunites 
pour les delinquents de s'emparer de grandes quantites de donnees personnelles 
potentiellement tres profitables. 
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Internet des objets 

L'internet des objets (internet of things) ou IdO fait reference a I'interpenetration 
croissante entre le monde physique et le monde numerique, par le biais de capteurs et 
de senseurs integres aux objets qui nous entourent (des vehicules automobiles aux 
pacemakers en passant par les refrigerateurs et les compteurs electriques), ces derniers 
devenant dotes de la capacite de communiquer sans fil avec des reseaux informatiques 
grace au protocole internet. Les flux de donnees massives produits par ces objets 
facilitent alors la surveillance de leur fonctionnement ainsi que des environnements 
dans lesquels ils operent (Chui et al., 2010). Ils peuvent ainsi renseigner leur proprietaire 
ou I'entreprise qui les exploite sur leur etat general de fonctionnement, leurs besoins 
eventuels de maintenance, leur productivite, les heures prevues d'arrivee a une 
destination predeterminee, mais aussi sur le rythme cardiaque ou le taux de glycemie 
de la personne qui est equipee d'un tel appareil, etc. (Gens, 2011 : 18). On va done 
assister a une expansion de l'internet, qui va non seulement englober des reseaux 
numeriques traditionnels mais aussi des reseaux locaux d'objets capables de 
communiquer entre eux et avec leurs controleurs (Hourcade et al., 2009 : 2). 

Evolution de la techiiologie 

Gartner estime que cette tendance atteindra son apogee d'ici une decennie, meme s'il y 
a deja plus d'objets que d'ordinateurs connectes a internet (Fenn et LeHong, 2011 : 23). 
Cisco predit qu'il y aura plus de 50 milliards d'objets connectes a internet en 2020 
(Evans, 2011: 3), alors que I'association Internationale des operateurs de 
telecommunication mobile est plus circonspecte avec un estime de 24 milliards, ce qui 
s'explique par une definition plus restrictive de ce qu'est un objet connecte (GSMA, 
2011: 3). 

Moteurs de developpenient 

Le premier moteur de developpement est d'ordre technique. Bien que le concept d'IdO 
ne soit pas nouveau en soi, la miniaturisation des composants electroniques, leurs bas 
coCits et I'augmentation de la puissance de calcul et de la bande passante des reseaux 
informatiques ont entrame une diversification et une acceleration du nombre d'objets 
qui peuvent etre connectes a l'internet (Fenn et LeHong, 2011: 6). L'adoption de la 
version 6 du protocole internet (IPv6), qui fait passer le nombre d'adresses disponibles 
de 4,2 milliards a 340 sextillions (10^®), facilitera aussi I'expansion de l'internet des 
objets et ouvrira la voie a un nombre incalculable de nouvelles possibilites, pour peu 
que ces dernieres procurent une valeur ajoutee aux services existants. 

Sur le plan fonctionnel, I'ldO devrait en effet permettre aux entreprises et aux 
institutions publiques d'offrir des services qui n'etaient pas disponibles auparavant et 
qui amelioreront la qualite de vie des usagers, comme de localiser en temps reel les 
places de stationnement disponibles dans un quartier, ou d'ameliorer la qualite des 
soins en faisant converger plus rapidement des patients en detresse et I'expertise 
medicale la plus proche (Fenn et LeHong, 2011 : 23). Les nombreuses applications 
pratiques de I'ldO qui permettront aux individus et aux organisations d'optimiser leur 
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utilisation de I'espace et du temps devraient alimenter la croissance rapide de cette 
tendance au cours des prochaines annees. 

Enfin, sur le plan economique, I'association GSMA evalue les opportunites de profits 
reliees a I'ldO a 445 milliards de dollars pour I'industrie de I'electronique grand public, 
202 milliards pour I'industrie automobile, 69 milliards pour le secteur de la sante et 36 
milliards pour les distributeurs d'electricite, d'eau, ou de gaz (utilities) (GSMA, 2011). 

Implications pour la cybersecurite 

L'IdO va ouvrir de nouvelles possibilites en matiere de surveillance, qui risquent 
cependant de soulever de nombreux debats concernant I'ethique et le respect de la vie 
privee. Contrairement aux systemes de videosurveillance qui sont limites par le type de 
donnees qu'ils peuvent recueillir et traiter, I'ldO sera en mesure d'offrir aux services de 
securite I'acces a des donnees tres riches, qu'il s'agisse d'images prises par des 
telephones intelligents, mais aussi de sons, d'odeurs, de composes chimiques, 
d'informations biometriques, etc (Silberglitt et al., 2006 : 28). Quelques services de 
police canadiens ont deja eu recours aux capacites d'enregistrement d'appareils 
electroniques utilises par de simples citoyens pour identifier les auteurs d'actes de 
vandalisme lors d'emeutes urbaines a Montreal, Toronto ou Vancouver. D'autres villes 
nord-americaines comme Washington, Los Angeles ou Boston ont installe dans leurs 
quartiers les plus violents des grappes de capteurs acoustiques qui peuvent detecter 
I'origine de coups de feu ou de cris de detresse (Klein, 2006; Ntalampiras et al., 2009). 
L'IdO va accelerer cette tendance a I'emploi de capteurs technologiques pour des 
fonctions de securite. Cependant, I'utilisation qui sera faite de telles capacites soulevera 
certainement de nombreuses objections de la part des organismes de protection de la 
vie privee. 

L'augmentation du nombre d'entites connectees a internet va mathematiquement 
augmenter le nombre de cibles disponibles pour les pirates informatiques, qu'il s'agisse 
de voitures, d'instruments medicaux, ou d'appareils domotiques (home automation). 
Un employe mecontent d'une concession automobile du Texas a ainsi deja reussi a 
pirater en 2010 une centaine de voitures en accedant a distance au systeme 
d'immobilisation des vehicules, prevu pour etre utilise en cas de non paiement des 
mensualites (Poulsen, 2010). Des chercheurs ont egalement mis en evidence comment 
des pompes a insuline, des pacemakers et des defibrillateurs cardiaques implantes dans 
le corps de patients pouvaient etre pirates et reprogrammes a distance en exploitant la 
securite deficiente des connexions de ces objets (The Future Laboratory, 2011 ; 11). 

Du fait de leur nombre et de la necessite de maintenir des coCits de production et de 
fonctionnement aussi bas que possible, les concepteurs et fabricants de ces objets 
connectes ne souhaiteront (ou ne pourront) probablement pas les equiper de dispositifs 
de securite trop contraignants, sauf pour ceux qui sont integres a des biens de 
consommation onereux (comme les voitures de luxe) ou a des services essentiels 
relevant de la sante humaine ou des infrastructures essentielles (les compteurs 
intelligents ou smart meters). Cette reticence risque de creer de nouvelles vulnerabilites 
pour I'internet dans son ensemble, puisque ces objets pourront etre utilises par les 




pirates comme points d'acces a des systemes plus attractifs vers lesquels ils redirigeront 
leurs attaques (Roman et al., 2011); 

Les implications ne sont pas uniquement d'ordre numerique, puisque la multiplication 
dans les espaces publics des objets connectes a internet (feux de circulation, camera de 
videosurveillance, vehicules, compteurs divers, etc.) va aussi poser le probleme de leur 
securite physique. A moins que des mecanismes de protection et de durcissement 
(hardening) soient imagines, ils echapperont en effet a la vigilance de gardiens capables 
(capable guardians), en depit du fait qu'ils constitueront des cibles interessantes pour 
des delinquents motives (Cohen et Felson, 1979) qui disposeront a travers eux d'un 
acces materiel a des reseaux informatiques sensibles. 



Internet mobile 


Le concept d'internet mobile (mobile internet ou mobile computing) designe I'ensemble 
des technologies qui permettent I'acces complet ou allege a internet a I'aide d'appareils 
mobiles tels que des telephones intelligents ou des tablettes informatiques (de type 
iPad). L'internet mobile englobe trois composantes : 1) les appareils mobiles qui rendent 
cela possible; 2) les applications qui permettent a ces appareils de se connecter a des 
reseaux informatiques (comme les systemes d'exploitation iOS d'Apple, Android de 
Google, Windows 8 de Microsoft ou Blackberry OS), ainsi que les nombreuses 
applications disponibles pour chacun d'entre eux; 3) et les technologies qui permettent 
aux sites internet de reconnartre leurs usagers connectes via des technologies mobiles 
et de leur offrir ainsi un contenu adapte a leur position geographique ou a leurs interets 
personnels. 

Evolution de la techiiologie 

L'internet mobile est ne vers la fin des annees 1990 (Kaikonnen, 2009), mais il est reste 
jusqu'a recemment un phenomene marginal. C'est la croissance actuelle du marche des 
telephones intelligents -qui integrant en un meme appareil des fonctions de telephonie, 
de gestion des donnees, de photographie, de video, de musique ou de geolocalisation- 
qui alimente cette tendance et permet aux usagers d'etre connectes a internet en tous 
lieux et en tout temps. 

Pour I'annee 2012, IDC prevoit qu'il se vendra deux fois plus d'appareils mobiles (895 
millions d'unites) que d'ordinateurs classiques (400 millions d'unites) (Gens, 2011: 7), et 
que les depenses reliees a la consommation de donnees via des reseaux mobiles vont 
pour la premiere fois depasser les depenses associees a la consommation de donnees 
distribuees par des reseaux fixes (technologie ADSL ou fibre optique par example). Le 
telechargement anticipe de 85 milliards d'applications mobiles (mobile apps) devrait 
permettre a l'internet mobile de soutenir une croissance tres dynamique pendant 
encore quelques annees (Gens, 2011). 

D'ici 2015, un quart des cartes SIM^° activees dans le monde seront associees a des 
telephones intelligents ou a des modems mobiles (identiques aux cles 3G), ce qui 
representera un marche de 1,5 milliards de consommateurs (GSMA, 2011 : 2). 

Moteurs de developpement 

Le premier moteur de developpement est d'ordre economique. Les entreprises de 
telecommunication mobile investissent en effet massivement dans le deploiement de 
technologies de derniere generation (3G, LIE), qui offriront des acces a internet aussi 
rapides que ceux dont disposent les clients residentiels branches sur des connexions a 
haut debit. Au cours des cinq prochaines annees, les investissements mondiaux dans ce 
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La carte SIM est une puce qui permet d'identifier un utilisateur sur un reseau mobile. 




domaine devraient s'elever a plus de 100 milliards de dollars, et 300 millions d'usagers 
devraient etre connectes aux reseaux de derniere generation LTE en 2015 (GSMA, 
2011: 2). Les profits que ces entreprises esperent tirer de la vente de services de 
donnees sont directement proportionnels aux investissements consentis et expliquent 
done cet engouement. 

Les implications techniques de ces investissements financiers vont tres rapidement se 
faire sentir, dans la mesure ou I'association professionnelle GSMA (2011: 4) prevoit que 
cette infrastructure technique multipliera par dix le volume de donnees numeriques qui 
transiteront par les reseaux mobiles d'ici 2020, pour atteindre 42 exabits. Cette 
croissance des donnees echangees beneficiera particulierement aux pays en voie de 
developpement, pour qui I'internet mobile sera un moyen d'acceder directement a des 
connexions a haut debit, en I'absence d'infrastructuresterrestres (ITU, 2010 : 2). 

Les moteurs economique et technique vont egalement entrainer un troisieme moteur, 
d'ordre commercial. Les entreprises de services voient en effet dans I'internet mobile 
des opportunites a exploiter, etant donne que les applications leurs permettront 
d'ameliorer la rentabilite de leurs modeles d'affaires et d'interagir de maniere beaucoup 
plus personnalisee avec leurs clients, en profitant notamment des capacites de 
geolocalisation de I'internet mobile (Yuan et Barker, 2011 : 6; Webbmedia, 2011: 12). 
En reponse a ce moteur commercial, on estime que d'ici 2013, pres de 80% des 
entreprises devraient equiper une partie de leurs employes de tablettes informatiques 
(Yuan et Barker, 2011: 6). Une barriere potentielle a ce moteur lie a une meilleure 
productivity concerne la multiplication des plateformes en concurrence (Android, iOS, 
Windows 8, Blackberry OS, webOS, etc.). Elle risque d'entratner des coCits de 
developpement plus eleves pour les nouvelles applications, surtout si ces dernieres 
doivent etre disponibles sur I'ensemble plateformes existantes (IBM, 2011; 7). 

Implicatioii.s pour la cybersecurite 

Les consommateurs profiteront des capacites techniques des telephones intelligents et 
des appareils mobiles, combinees aux services offerts par les entreprises, pour effectuer 
des transactions financieres ou bancaires en ligne ou qu'ils se trouvent et en tout temps. 
D'ailleurs, des services de portefeuille mobiles (mobile wallets), destines a se substituer 
aux paiements en espece sont en developpement. Les fraudeurs vont done trouver la 
une nouvelle source de revenus, et I'infection des telephones a I'aide d'applications 
malveillantes (malware) devrait connaitre une croissance refletant le fort taux 
d'adoption de I'internet mobile. L'entreprise de securite Norton a ainsi mesure a I'aide 
d'un sondage que 10% de la population adulte aurait deja ete victime de crimes relies a 
I'utilisation de telephones intelligents, et Symantec evaluait en 2010 que les menaces 
specifiques a I'internet mobile avaient connu une croissance de 42% par rapport a 
I'annee precedente (Albanesius, 2011). 

Comme dans toute periode d'emergence de nouveaux risques, les delinquents 
beneficient d'une fenetre d'opportunite durant laquelle le public reste mal informe des 
vulnerabilites auxquelles il est expose et des moyens de protection a mettre en oeuvre. 
Ainsi un sondage recent conduit en France montrait que seulement 4% des utilisateurs 



de telephones intelligents etaient preoccupes par les risques lies aux virus 
informatiques, alors que ce chiffre etait de 22% pour les utilisateurs d'internet (The 
Future Laboratory, 2011: 14). De meme, pres du tiers des repondants d'un sondage 
mene par Damballa en 2011 etait preoccupe par la cybercriminalite liee a I'utilisation 
des ordinateurs personnels, alors que ce chiffre n'etait que de 13% pour la 
cybercriminalite liee aux telephones intelligents (Damballa, 2011). Cela se traduit par 
des taux moins eleves d'adoption de solutions de securite parmi les utilisateurs de 
I'internet mobile, puisque seulement 16% avaient installe les plus recentes applications 
de securite, et 13% des personnes interrogees avaient installe un logiciel capable 
d'effacer les donnees personnelles en cas de perte ou de vol (Damballa, 2011). Dans ce 
contexte, la securite des applications telechargees par les utilisateurs et les politiques de 
controle (prospective ou retrospective) mises en oeuvre par les grandes plateformes 
telles qu'Android Market ou iTunes App Store vont s'averer determinantes (Giles, 2010). 

Les problemes de securite relies a I'internet mobile ne concernent pas uniquement les 
logiciels. Les equipements mis sur le marche et la chame d'approvisionnement en 
composants et de distribution devront egalement faire I'objet d'une vigilance 
particuliere. Ainsi, en 2010, la filiale espagnole du geant anglais des telecommunications 
Vodafone a ete confrontee a un incident lors duquel 3.000 telephones intelligents 
infectes par le logiciel malveillant Mariposa ont ete commercialises par ses propres 
revendeurs agrees (Leyden, 2010). 

Bien evidemment, I'internet mobile ne sera pas uniquement une source additionnelle 
de risques, et de nombreuses institutions financieres ont deja integre a leur dispositif de 
lutte anti-fraude des alertes par email et SMS qui facilitent I'identification precoce de 
transactions suspectes (de Villiers, 2010). L'internet mobile dispose done d'un potentiel 
attrayant de contribution a la securite de I'ecosysteme numerique. 



Interfaces neuronales directes 


Les interfaces neuronales directes (brain-computer interface) sont des technologies qui 
permettent de connecter directement des dispositifs informatiques externes au cerveau 
ou au systeme nerveux humain. Cela permet ainsi aux individus d'interagir avec des 
ordinateurs par la pensee. Ces technologies sont actuellement utilisees en medecine 
afin de compenser, d'assister ou d'augmenter les fonctions cognitives et motrices de 
personnes souffrant de deficiences physiques (paralysie, syndrome d'enfermement ou 
locked-in syndrome) ou psychologiques (stress, deficit de I'attention) (Foresight Horizon 
Scanning Centre, 2010). Ces technologies impliquent generalement I'utilisation 
d'electrodes plus ou moins invasives, c'est-a-dire fonctionnant par simple contact avec 
le cuir chevelu ou au contraire implantees directement dans le cerveau lors d'une 
operation chirurgicale, pour capter les ondes emises par le cerveau (Demetriades et al., 
2010 : 267). 

Evolution de la teclinologie 

Cette technologie est en developpement depuis le debut des annees 1970, mais peu 
d'avancees ont ete initialement realisees en raison des limites techniques de I'electro- 
encephalographie (EEC), c'est-a-dire la methode par laquelle on mesure I'activite 
electrique du cerveau. En effet, les taux eleves d'erreur entre les signaux emis et leurs 
interpretations sont longtemps restes trop importants pour envisager des applications 
en dehors des laboratoires de recherche (Wang et Jung, 2011: 2). 

Ces interfaces se situent dans le prolongement des interfaces intuitives d'interaction 
avec les technologies numeriques, comme les systemes de reconnaissance vocale, les 
ecrans tactiles ou les systemes de detection des mouvements, que I'on retrouve sur les 
technologies Wii de Nintendo, Kinect de Microsoft ou SIRI d'Apple. Ces technologies 
auparavant couteuses et reservees au monde de la recherche ou de I'entreprise sont en 
train de faire leur apparition dans I'electronique grand public, et seront amenees a 
remplacer progressivement le clavier et la souris comme modes privilegies d'interaction 
entre les humains et les machines (Yuan et Barker, 2011). 

Moteiirs de developpement 

Sur le plan technique, le developpement de methodes non invasives de mesure des 
activites cerebrales et d'equipements de plus en plus legers devrait accelerer le 
developpement et I'adoption de cette technologie. En effet, Jusqu'a recemment, on 
estimait que les interfaces neuronales directes devraient avoir recours a des implants 
electroniques dans le cerveau humain pour pouvoir fonctionner efficacement, ce qui 
constituait une barriere technique majeure au developpement de cette technologie 
pour des applications commerciales (Silberglitt et al., 2006: xix). Des avancees 
importantes ont ete realisees dans ce domaine, et la societe Emotiv^^ commercialise 
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depuis quelques mois, et au prix de 300$, un casque neuronal sans fil (wireless 
neuroheadset) permettant I'acquisition et le traitement de signaux cerebraux. Des 
recherches sont par ailleurs engagees afin de mesurer les signaux neuronaux sans 
contact physique, en combinant plusieurs categories de capteurs differents (Fenn et 
LeHong, 2011). La miniaturisation et la baisse des couts de cette technologie, ainsi que 
le developpement d'applications grand public et le raffinement des techniques 
d'interpretation des signaux emis par le cerveau devraient favoriser son adoption d'ici 
les cinq prochaines annees, selon IBM Research (Brown, 2011). 

Implications pour la cybersecurite 

Cette technologie manifeste un potentiel eleve pour la detection de la verite et la 
lecture directe des souvenirs, qui ne concernent pas la cybersecurite en tant que telle 
mais illustre la convergence entre les avancees des technologies numeriques et leurs 
applications a des problemes de securite plus classiques. Cependant, de telles 
utilisations vont soulever des problemes inedits en matiere de protection de la vie 
privee s'il devient possible de lire dans les pensees ou de mesurer les emotions des 
individus a leur insu de maniere routiniere et avec un taux satisfaisant de fiabilite. 

Les interfaces neuronales directes ouvrent egalement la voie a de nouveaux risques de 
piratage du cerveau (brain hacking), d'autant plus que les effets a long terme de ces 
interfaces sur les sujets humains et les changements de personnalite qu'elles 
provoquent restent tres mal connus (Clausen, 2009). Si Ton poursuite ce raisonnement, 
on pourrait alors envisager des attaques lancees depuis I'ecosysteme numerique, a 
partir d'ordinateurs, vers des cibles humaines, et qui auraient pour consequences 
directes des lesions psychologiques ou physiques durables. Cela constituerait un facteur 
additionnel et inedit de convergence entre risques numeriques et risques physiques. 
Dans le meme ordre d'idees, il est aussi possible que ces technologies soient utilisees 
comme substituts aux produits stupefiants actuellement disponibles, et que de 
nouveaux marches criminels similaires a ceux de la drogue offrent des experiences 
inedites d'addiction a travers ces technologies interactives en reseau (Cave et al., 2009 : 
15). 

La generalisation de cette technologie devra egalement nous amener a reconsiderer les 
regies existantes permettant d'etablir la responsabilite penale des individus. En effet, si 
un acte criminel decoule de I'interpretation erronee qu'une interface neuronale 
pourrait faire des pensees d'un utilisateur, comment attribuer avec certitude la 
responsabilite aux diverses composantes de ce systeme hybride (Nishida et Nishida, 
2007)? On peut done supposer que la regulation de ces technologies devra combiner 
des approches legales, techniques et medicales, ce qui risque de poser un probleme 
significatif aux autorites de regulation, peu habituees a operer a I'intersection de 
plusieurs domaines d'activites (Cave et al., 2009; Demetriades et al., 2010). 
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Paiements sans contact 


La technologie des paiements sans contact (near field communication (NFC) payment) 
exploite diverses technologies de communication sans fil apparentees aux puces RFID 
afin de faciliter les transactions financieres aux points de vente. Cette technologie est 
principalement installee sur des cartes de paiement et des telephones mobiles, qu'il 
suffit d'approcher a quelques centimetres d'un appareil recepteur equipe pour 
effectuer la transaction, ce qui accelere considerablement le passage aux points de 
vente (Tata, 2011: 9). Cette technologie vise a faciliter les interactions de proximite 
entre divers appareils et vient directement concurrencer des moyens de paiement 
traditionnels comme les especes ou les cartes de debit et de credit (Ondrus et Pigneur, 
2009). 

Evolution de la technologie 

Des 2003, la societe americaine Applied Digital Solution (ADS) creait le systeme VeriPay, 
une puce RFID sous-cutanee permettant de payer ses achats sans avoir a sortir son 
portefeuille. Ce systeme n'a toutefois jamais obtenu le succes escompte et sa 
production a ete interrompue en 2010. 

Des acteurs industrials majeurs tels que Google (Google Wallet), Apple, Nokia (systeme 
Obopay), AT&T, T-Mobile et Verizon (consortium Isis) ou encore BMW (technologie de 
cle Connected Drive) ont realise au cours des derniers mois des investissements 
importants dans cette technologie et devraient en faire la promotion aupres des 
consommateurs. Des entreprises de la Silicon Valley comme Naratte (systeme Zoosh) 
developpent egalement des alternatives technologiques qui possederont toutefois les 
memes fonctions que les systemes de paiement sans contact decrites plus haut 
(Webbmedia Group, 2011 : 12). 

Moteurs de developpenient 

A I'heure actuelle, on observe des degres d'adoption tres variables a I'echelle 
Internationale : alors que cette technologie s'avere populaire en Asie (particulierement 
au Japon), elle a encore du mal a percer en Europe et en Amerique du Nord. On doit 
done chercher dans des moteurs commerciaux et economiques les raisons de ces 
rythmes differents de developpement. 

Sur le plan commercial. La generalisation de cette technologie sera principalement 
determinee par son adoption dans les domaines du service rapide et des secteurs 
economiques ou les transactions sont tres frequentes, comme celui du transport en 
commun (Ondrus et Pigneur, 2009). Aux Etats-Unis, les cafes Starbucks figurent ainsi 
parmi les premieres entreprises a investir dans cette technologie (Kunur, 2011), et au 
Canada, plusieurs societes de transport commercialisent leurs abonnements mensuels 
sur des cartes de paiement sans contact (carte Opus dans la region de Montreal). 
L'arrivee de Google et d'Apple sur ce marche devrait egalement accelerer le rythme 
d'adoption. 
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Mais les efforts commerciaux ne seront pas les seuls determinants du developpement 
de cette technologie, qui fonctionne selon une structure economique particuliere. La 
technologie du paiement sans contact correspond en effet a ce que les economistes 
appellent un marche biface (two-sided market), dans lequel les usagers et les 
entreprises devront adopter la technologie simultanement pour qu'elle se generalise 
(Rochet et Tirole, 2003). Les entreprises du secteur financier, qui ont appris a mattriser 
ce type de marche par le biais des cartes de paiement, joueront done un role important. 
Leur capacite a conclure des ententes strategiques avec les entreprises de 
telecommunication sera determinante. Dans le prolongement des considerations sur les 
technologies de rupture, il se pourrait cependant que des entreprises exterieures au 
secteur bancaire (par exemple internet et telecommunications) choisissent de 
concurrencer frontalement ce dernier en ne s'associant pas a lui dans le deploiement de 
cette technologie. A titre d'exemple, I'entreprise China Mobile, specialisee comme son 
nom I'indique dans la telephonie cellulaire, a invest! en mars 2010 pres de six milliards 
de dollars dans la Shangai PuDong Development Bank afin d'accelerer la 
commercialisation de ses services de paiement en ligne (Bloomberg, 2010). 

D'un point de vue technique, I'interoperabilite entre les divers systemes en 
developpement reste une question non resolue, et tant que des normes internationales 
n'auront pas ete acceptees par I'ensemble des acteurs de ce marche emergent, ou 
qu'un consortium d'acteurs dominants n'aura pas affirme sa suprematie, cette 
technologie aura du mal a se developper a I'echelle mondiale. 

Iniplicatioii.s' pour la cybersecurite 

Les implications pour la cybersecurite sont tres similaires a celles deja soulevees pour 
I'internet mobile, mais un probleme de securite additionnel releve de la transmission 
non securisee de donnees bancaires qui entraine un risque d'interception et de 
manipulation des donnees par des tiers malveillants (Balaba, 2009). La technologie n'est 
en effet pas congue pour des applications liees a la transmission de donnees sensibles et 
les operateurs de telecommunication, les fabricants de telephones, de terminaux de 
paiement ainsi que les concepteurs d'applications devront superposer leurs propres 
solutions de securite a ^architecture technologique existante. 
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Robotique mobile 

La robotique mobile (mobile robots) fait reference a des systemes mecaniques poly- 
articules capables de se deplacer de maniere autonome ou semi-autonome et ayant la 
capacite d'influencer leur environnement immediat (Fenn et LeHong, 2011). Ces 
machines remplissent trois fonctions principales : la perception, le raisonnement et 
Faction. Certains de ces robots disposent aussi de fonctions de communication sans fil, 
ce qui permet de parler de robotique collaborative (MEFI, 2011 : 74). 

Evolution de la technologie 

On retrouve la robotique mobile dans un nombre croissant de secteurs d'activites, 
comme les industries manufacturieres, mais aussi les entreprises de services, le secteur 
de la sante, ainsi qu'en remplacement des humains afin de remplir des taches 
dangereuses. 

Le Japon et I'Allemagne sont les pays les plus avances dans le developpement de 
technologies civiles de robotique mobile, alors que les Etats-Unis et Israel dominent le 
marche de la robotique militaire. Le Ministere fran?ais de I'economie estime que le 
marche des robots pourrait representer 30 milliards de dollars d'ici 2015 (MEFI, 2011). 

Moteurs de developpement 

Sur le plan scientifique, les recents progres en ingenierie biomedicale ont permis de 
concevoir des robots dont la mobilite se rapproche maintenant de celle des etres 
vivants (Newton et Pfieeger, 2006 : 187), comme en attestent les modeles developpes 
par Sony et Honda (voir ci-dessous), mais aussi Boston Dynamics pour le robot BigDog 
destine au transport de materiel en terrain accidente pour les troupes americaines 
(Raibert et al., 2008). Des avancees importantes restent cependant encore a accomplir 
en matiere de communication « naturelle » entre machines et humains afin que le 
partage de I'espace et la cooperation puisse se faire de maniere harmonieuse (Luo et 
Perng, 2011). L'intelligence artificielle et la vision, qui determinant la comprehension 
par les robots de la realite tridimensionnelle qui les entoure, devra aussi faire I'objet de 
recherches additionnelles (Costa et al., 2011). Enfin, le traitement de I'information, 
comme la capacite a oublier afin de se debarrasser des informations inutiles afin de ne 
pas surcharger les capteurs, devra etre ameliore afin de rendre la performance de ces 
machines compatible avec leur evolution dans des environnements complexes 
(Freedman et Adams, 2011). 

Pour ce qui concerne les moteurs industriels, on relevera que Sony et Honda ont cree 
des robots de compagnie ayant une apparence humaine ou animale, ce qui laisse penser 
que ce marche devrait s'elargir au cours des prochaines annees pour ne plus concerner 
exclusivement les applications professionnelles. Les algorithmes et les applications 
logicielles font egalement I'objet d'initiatives industrielles favorisant le developpement 
de nouveaux produits : Microsoft ou iRobot mettent ainsi desormais a la disposition des 




ingenieurs en robotique les codes sources de leurs produits (Kinect et Roomba), afin que 
ceux-ci puissent les integrer librement a leurs projets. 

Les moteurs sociaux vont egalement jouer un role important dans le developpement de 
la robotique mobile. Le vieillissement de la population dans les pays occidentaux et les 
moyens budgetaires limites pour la prise en charge institutionnelle de personnes a 
mobilite reduite va conduire au developpement de technologies facilitant le maintien a 
domicile des personnes agees. Les robots mobiles pourraient done constituer une 
alternative attractive combinant des fonctions d'aide a I'execution des taches 
menageres et de surveillance des signes vitaux de leurs proprietaires, donnant I'alerte 
en cas de probleme de sante. Les robots pourraient egalement etre utilises dans les 
milieux de travail ou evoluent des employes aux competences extremement rares (on 
pense notamment ici aux chirurgiens), afin de leur permettre de se « projeter» a 
plusieurs endroits simultanement. Ces robots incarneraient alors des individus existants 
dans des lieux ou ils ne peuvent se rendre mais ou leur expertise est requise (Newton et 
Pfieeger, 2006 : 187). Une barriere a surmonter sera toutefois celle de I'acceptabilite 
sociale. En effet, la peur d'interagir avec des machines trop (ou pas assez) 
anthropomorphes, ou encore la crainte de voir ces dernieres supplanter les emplois 
d'etres humains pourraient freiner le deploiement de cette technologie (Salvini et al., 
2010a). 

Implications pour la cybersecurite 

La multiplication de robots autonomes dans I'espace public va faire apparaitre de 
nouveaux risques pour la securite des individus, notamment si des robots adoptent des 
comportements indesirables ou commettent des erreurs a I'origine d'accidents. Des 
regies et des normes de comportement respectueuses de I'integrite physique des 
humains devront done etre elaborees et inserees dans les applications de controle de 
ces robots afin de reduire les menaces (Bicchi et al., 2010) et d'assigner les 
responsabilites en cas d'incident. 

Dans la mesure ou les communications avec les robots mobiles reposeront sur des 
technologies sans fil (voir section sur I'internet des objets et I'internet mobile), la 
multiplication de ces machines dans I'espace public va generer des opportunites pour 
leur prise de controle malveillante par des pirates informatiques. Les protocoles de 
communication qui seront utilises et les mecanismes d'authentification permettant 
d'envoyer des instructions aux robots mobiles devront done faire I'objet de precautions 
particulieres, meme si cela contribuera a augmenter les couts de fonctionnement. A 
titre d'exemple, des drones militaires americains utilises en Irak ont deja ete pirates par 
des insurges qui ont pu intercepter les signaux emis et en deduire les lieux ou les 
personnes ciblees par leurs operateurs. L'interception de ce type de signaux risque de se 
multiplier avec I'utilisation croissante de robots pour des activites de surveillance, dans 
les environnements aerien, mais aussi maritime et terrestre (exterieurs et interieurs) 
(Raty, 2010). Les pirates pourraient utiliser ces donnees de surveillance afin de planifier 
des attaques physiques (comme des cambriolages) ou acceder a des informations 




personnelles susceptibles de les aider dans leurs attaques numeriques (comme le 
recueil d'identifiants et de mots de passe). 

Le statut juridique de robots qui seront dotes dans un avenir proche d'autonomie et de 
ce qui pourrait s'apparenter a de I'intentionnalite devra aussi faire I'objet de reflexions 
approfondies (Salvini et al., 2010b). Le Japon a ainsi etabli depuis 2003 des zones 
geographiques dans lesquelles les robots peuvent evoluer dans I'espace public sans 
permis special (les Tokku ou zones dereglementees), mais ce statut juridique particulier 
est limite aux tests et aux experimentations de prototypes. 
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Informatique quantique 

L'informatique quantique (quantum computing) est une branche de I'informatique 
encore a un stade tres embryonnaire de developpement qui laisse neanmoins entrevoir 
des applications revolutionnaires en matiere de puissance de calcul, et par consequent 
de securite. L'informatique quantique s'appuie sur les lois de la mecanique quantique 
afin de traiter de grands volumes d'information de maniere beaucoup plus efficace que 
l'informatique traditionnelle. Pour rappel, cette derniere utilise comme unite de mesure 
les bits, qui servent a coder I'information de maniere binaire a partir de uns et de zeros. 
Par contraste, l'informatique quantique repose plutot sur des qubits (abbreviation de 
quantum bits) qui possedent deux caracteristiques uniques a la mecanique quantique, 
que sont la superposition et I'intrication (entanglement). La superposition est un 
phenomene par lequel le meme systeme peut etre simultanement dans plusieurs etats 
differents, ce qui augmente considerablement la complexite des operations qui peuvent 
etre effectuees. L'intrication decrit quant a elle la tres forte correlation entre des 
particules quantiques qui se comportent de maniere identique, meme si elles sont 
separees par de grandes distances^^. Cette seconde propriete s'avere particulierement 
utile en matiere de securite, car toute tentative d'interception d'un message crypte 
echange entre deux parties modifiera I'etat des particules refues par le destinataire et 
devoilera de maniere incontestable la tentative de compromission. 

Evolution de la technologie 

Pour I'instant, I'informatique quantique reste essentiellement au stade theorique, 
meme si des solutions tres specifiques de cryptographie quantique sont deja disponibles 
sur le marche. Les rares ordinateurs qui ont ete fabriques restent confines aux 
laboratoires des grandes universites et des entreprises qui menent des recherches dans 
ce domaine. L'Universite de Waterloo a developpe en collaboration avec le 
Massachusetts Institute of Technology I'ordinateur quantique le plus puissant a I'heure 
actuelle, qui est capable de traiter douze qubits^^. Cela reste toutefois encore insuffisant 
pour egaler la performance des ordinateurs classiques, de I'aveu de ses propres 
concepteurs. En raison de I'instabilite des systemes quantiques et des nombreux 
obstacles techniques a surmonter, plusieurs annees seront necessaires avant que 
l'informatique quantique ne tienne pleinement ses promesses (QISTEP, 2004). II y a 
quelques annees de cela, la Rand Corporation qualifiait sa faisabilite technique de 
hautement improbable (Silberglitt et al., 2006 : xix). 

Moteurs de developpement 

Parmi les moteurs industriels, signalons quede grandes entreprises comme IBM, HP, 
Microsoft et Google, ainsi que des entreprises en demarrage (start-ups) comme D-Wave 
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Systems en Colombie Britannique, ou MagiQ Technologies aux ^tats-Unis, investissent 
des sommes importantes dans I'informatique quantique afin d'accelerer le 
developpement de machines et d'applications pratiques. 

Ces efforts industriels sont menes conjointement avec le monde de la recherche, qui 
beneficie de soutiens financiers importants. Au Canada par exemple, Mike Lazaridis, le 
co-fondateur de Research in Motion (RIM), a fait un don de 100 millions de dollars a 
I'Universite de Waterloo en 2002 afin de financer la creation d'un Institut 
d'Informatique Quantique (Institute for Quantum Computing) (Gillmor, 2012), auquel le 
gouvernement canadien a accorde une subvention additionnelle de 50 millions en 
2009^^. D'autres pays, comme les Etats-Unis, la Chine, mais aussi I'Union Europeenne 
investissent des ressources significatives dans la recherche fondamentale et appliquee 
surcette technologie (Palmer, 2009; Weinberger, 2009; Shay, 2010). 

Implications pour la cybersecurlte 

I'informatique quantique est particulierement adaptee a plusieurs categories de 
problemes centraux a la cybersecurlte comme la cryptographie ou la cryptanalyse. 

En matiere de cryptographie, I'informatique quantique serait en mesure de produire et 
de transmettre des cles de cryptage inviolables puisque toute interception serait 
detectee instantanement. Cette propriete en ferait un outil indispensable pour les 
agences de renseignement, les autres services gouvernementaux exigeant de hauts 
niveaux de confidentialite, ainsi que des institutions financieres (Silberglitt et al., 2006 : 
31). 

Dans le domaine de la cryptanalyse (le dechiffrement de messages cryptes sans cle), la 
puissance de calcul offerte par I'informatique quantique permettrait, a priori, de casser 
sans grande difficulte les cles de chiffrement les plus puissantes et rendrait toute 
communication fondamentalement vulnerable (Sanders, 2012). 

Ainsi, une percee decisive dans la mise en application des theories de I'informatique 
quantique aurait le potentiel de menacer la cybersecurlte, et plus largement la securite 
nationale, des adversaires (ou meme des allies) de I'^tat ayant fait cette decouverte le 
premier. 
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Militarisation de I'internet 


La militarisation de I'internet (internet weaponization ou internet militarization) ne 
decoule pas d'innovations techniques particulieres, mais plutot de revolution des 
doctrines strategiques et tactiques. Meme si I'histoire de I'internet est intimement liee 
aux investissements militaires realises par diverses agences de recherche du Ministere 
americain de la defense des le debut des annees 1960, I'environnement numerique 
n'avait pas ete considere jusqu'a present comme un champ de bataille a part entiere, 
comme le sont les environnements terrestre, maritime, aerien ou meme spatial. Les 
signaux electromagnetiques font bien I'objet d'applications militaires depuis la 
deuxieme Guerre mondiale, mais toujours dans un but instrumental, afin de garantir la 
superiorite operationnelle lors des conflits armes classiques impliquant la maitrise des 
quatre espaces mentionnes precedemment. 

Evolution de la tendance 

On assiste cependant depuis quelques annees a une evolution de la doctrine militaire 
qui fait du controle de I'internet, non seulement un enjeu de securite interieure, mais 
aussi de securite nationale, avec une multiplication des ressources consacrees au 
developpement de capacites defensives et offensives (Deibert, 2010). 

Le Pentagone s'est dote en 2011 d'une strategic visant a traiter les environnements 
numeriques (ou le cyberespace) comme un domaine operationnel a part entiere, en 
mettant officiellement I'accent sur la protection des reseaux et des infrastructures 
Vitales (DoD, 2011). Cependant, un volet offensif moins mediatise de cette strategic 
semble egalement connaitre une montee en puissance operationnelle. Le virus 
informatique Stuxnet, principalement dirige contre I'effort iranien d'enrichissement 
militaire de I'uranium, est ainsi attribue par de nombreux experts a une initiative 
clandestine du gouvernement americain visant a se doter d'un cyber-arsenal, 
principalement en raison de son degre de sophistication et des ressources necessaires a 
la creation d'un tel virus. 

Mais les Etats-Unis ne sont pas seuls a developper des capacites militaires dans ce 
domaine. Au moins 32 autres Etats (dont le Canada) ont explicitement reconnu 
developper des capacites operationnelles offensives et defensives dans le cyberespace 
(Lewis et Timlin, 2011). Certains pays y consacrent des budgets tres significatifs, comme 
le Royaume Uni, qui prevoit de depenser un milliard de dollars canadiens sur quatre ans 
dans le cadre de sa politique militaire de cybersecurite, rendue publique en 2010, alors 
que le Pentagone depensera en 2012 un peu plus de 3,2 milliards de dollars US pour ses 
efforts defensifs et offensifs dans le domaine « cyber » (Sternstein, 2011). 

Moteurs de developpement 

Parmi les moteurs legaux, on mentionnera le droit de la guerre et les conventions 
internationales, ainsi que les dispositions legislatives nationales. Ces divers cadres 
juridiques vont determiner (pour les democraties liberales tout du moins) dans quelle 
mesure les outils offensifs et defensifs vont pouvoir etre officiellement integres a 
I'arsenal militaire, ou au contraire restraints a un usage clandestin. Le Congres americain 




a ainsi donne le 12 decembre 2011 I'autorisation au Pentagone de mener des actions 
offensives dans le cyberespace dans le cadre des contraintes legales existantes sur 
I'engagement des troupes americaines dans des conflits armes^^. Cependant, les 
instruments juridiques classiques devront probablement etre modifies afin de prendre 
en compte les specificites techniques de ces nouvelles capacites offensives, comme la 
difficulte d'attribution des attaques par exemple. Cette reforme du droit de la guerre ne 
semble pas avoir encore ete engagee. 

Les moteurs techniques et economiques s'appuient essentiellement sur des coCits de 
recherche et de developpement d'armes numeriques offensives, qui s'averent 
beaucoup plus abordables que ceux des armes conventionnelles. Cette caracteristique 
les met done a la portee de puissances militaires intermediaires, voire marginalisees sur 
la scene Internationale, comme la Coree du Nord ou I'lran. Ces armes vont s'averer 
d'autant plus attractives que la dependance croissante des infrastructures essentielles 
envers les reseaux numeriques va leur conferer une puissance de nuisance et de 
destruction indeniable. Cependant, les predictions qui assimilent ce type d'attaques a 
un « Pearl Harbor» numerique semblent excessives et sous-estiment ou feignent 
d'ignorer la resilience de I'ecosysteme numerique. 

Des moteurs strategiques expliquent egalement I'attrait que representent pour certains 
Etats la militarisation de I'internet. En effet, I'architecture des infrastructures 
numeriques fait en sorte que le recours a des armes numeriques offensives peut 
toujours faire I'objet de dementis plausibles (plausible deniability), et que ['attribution 
de responsabilite pour une telle attaque reste impossible a etablir avec une certitude 
absolue (NCIX, 2011). II s'agit done la d'une arme operationnellement tres avantageuse, 
car elle reduit significativement les risques de riposte. 

Implications pour la cybersecurite 

Tout d'abord, la militarisation de I'internet, si elle n'est pas encadree a I'echelle 
Internationale par de grands traites modeles sur ceux ayant ete utilises pendant la 
Guerre froide pour plafonner la production d'armes nucleaires (SALT, START et ABM), 
risque d'aboutir a une situation analogue de course aux armements. La principale 
difference verrait se substituer a I'affrontement bilateral d'alors (USA-URSS) une 
configuration multilaterale beaucoup plus ouverte et instable, articulee autour des trois 
acteurs dominants dans ce domaine que sont les Etats-Unis, la Russie et la Chine 
(Yannakogeorgos, 2009). Une telle course aux armements ferait peser sur I'ecosysteme 
numerique une incertitude et des menaces de destruction dont I'ampleur et les 
repercussions sont difficilement envisageables. 

La multiplication des capacites offensives decrites precedemment va egalement 
contribuer a augmenter I'insecurite de I'internet en favorisant la proliferation 
incontrolable d'armes numeriques toujours plus sophistiquees. Outre ['incertitude et les 
nouvelles menaces que cette militarisation va faire peser sur les operateurs civils et 
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commerciaux, I'architecture ouverte et distribuee d'internet fait en sorte qu'une fois 
utilisees, ces armes numeriques pourront etre analysees et recyclees par tous ceux qui 
disposeront de capacites techniques suffisantes de retro-ingenierie (reverse 
engineering). Dans I'ecosysteme particulier de I'internet, des applications malveillantes 
elaborees a des fins de securite nationale pourront ainsi se retrouver rapidement entre 
les mains d'interets criminels, ce qui a deja ete observe dans le cas du virus Stuxnet. En 
decembre 2010, des failles encore inconnues (zero day exploits) utilisees par ce virus 
sont apparues dans I'application malveillante TDL-4, un des plus importants botnets en 
fonctionnement a I'heure actuelle (Golovanov, 2010); 

De maniere plus generale, la militarisation de I'internet introduit une confusion 
dangereuse entre les spheres de la securite interieure et de la securite nationale, en 
considerant que les principaux risques pesant sur I'ecosysteme numerique relevent en 
priorite de la responsabilite des forces armees, et que ces dernieres doivent done 
deployer des ressources considerables et mobiliser les acteurs prives dans des 
partenariats caracterises par le secret pour y faire face. Si cette approche fait le bonheur 
des sous-traitants du secteur de la defense, qui y voient la une source tres lucrative de 
revenus pour les prochaines annees, elle a pour principal defaut d'apporter une reponse 
unique et disproportionnee a des risques aussi diversifies que les risques criminels 
(cyber fraude, harcelement en ligne, production et consommation de 
pedopornographie), les risques economiques (telechargement illegal de contenus 
proteges par les divers regimes de propriete intellectuelle), les risques lies au cyber 
espionnage (acquisition par des entites gouvernementales ou privees de secrets 
detenus par des adversaires ou des competiteurs) ou les risques militaires, qui 
impliquent la destruction d'actifs physiques ou informationnels. Sans nier le besoin pour 
les forces armees d'adapter leurs capacites d'attaque et de riposte aux realites des 
environnements numeriques actuels et futurs, une reflexion devrait etre initiee dans les 
meilleurs delais afin de delimiter le role qu'elles devront jouer dans I'ecosysteme de la 
cybersecurite, aux cotes d'autres acteurs tout aussi importants comme les organisations 
policieres, la securite privee, les entreprises du secteur des hautes technologies, les 
ONG, les autorites reglementaires et judiciaires, et bien entendu, les utilisateurs. Si ce 
debat n'est pas mene, cette militarisation risque de fragiliser encore un peu plus 
I'ecosysteme numerique et de le destabiliser plutot que de le rendre plus resilient face 
aux diverses menaces enumerees precedemment. 
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Conclusion et recommandations 


Dans cette derniere section, on traitera de plusieurs themes transversaux qui se 
degagent des neuf tendances identifiees dans le rapport et de leurs implications pour la 
cybersecurite, en formulant egalement quelques recommandations generales qui 
doivent neanmoins etre considerees avec prudence, compte tenu de la nature 
prospective des problemes abordes. 

II faut tout d'abord signaler que ces tendances ne doivent pas etre considerees 
separement les unes des autres, meme si nous avons pris le parti de les etudier de cette 
maniere afin d'en faciliter la description et I'analyse en termes de moteurs de 
developpement et d'impacts sur la securite de I'ecosysteme numerique. Ces neuf 
tendances sont techniquement et socialement interdependantes, certaines entretenant 
meme entre elles des relations symbiotiques (comme I'internet mobile et les paiements 
sans contact). D'autres vont converger afin d'offrir de nouveaux services aux individus et 
aux entreprises, tel I'internet des objets qui va beneficier des avancees scientifiques de 
la massification des donnees pour ameliorer la productivite des entreprises. Cette 
convergence est deja en marche, puisque selon IDC, les deux tiers des applications de 
I'internet mobiles developpees en 2012 integreront des capacites analytiques offertes 
par des entreprises en pointe dans la massification des donnees, et la moitie des 
applications seront connectees ou integrees a des plateformes d'informatique dans les 
nuages (Gens, 2011: 9). 
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Le diagramme ci-dessus represente les interdependences identifiees dans la litterature 
consultee, sans pretendre a I'exhaustivite, dans la mesure ou de nouveaux liens 
apparaitront certainement au gre des innovations perturbatrices qu'il est encore difficile 
d'anticiper. La principale consequence de cette interdependence, outre la mise en 
lumiere de la complexite structurelle inherente a I'ecosysteme numerique, est de nous 
sensibiliser au fait que toute politique ou strategie de cybersecurite ne peut s'averer 
reellement efficace qu'en adoptant une vue d'ensemble des diverses tendances et en 
surveillant constamment devolution de leurs interactions reciproques, puisque leur 
processus de maturation respectif connait de fortes variations. 

Recommendation no. 1; concevoir et deployer une methodologie et des outils de veille 
permanents dont I'objectif sera de suivre devolution de I'ecosysteme numerique, d'en 
cartographier les divers acteurs, les interactions, et d'evaluer les implications de ces 
transformations sur la cybersecurite. 

Le risque reglementaire a eviter dans ce type de configuration est alors qu'une prise en 
compte separee de chacune des tendances identifiees conduise a une fragmentation 
des regimes reglementaires (regulatory regimes) et des strategies de gestion des risques 
et nuise a la cybersecurite, la ou une integration s'avere indispensable, comme on vient 
de le souligner. 

Recommendation no. 2 : aligner les regimes reglementaires applicables aux diverses | 
infrastructures, applications et contenus avec les ressources et les strategies mises en i 
oeuvre par un nombre croissant d'acteurs gouvernementaux, ainsi que leurs partenaires 
prives, afin de deceler rapidement les risques numeriques emergents et limiter leur 
impact sur un ecosysteme en constante evolution. 

Trois caracteristiques semblent partagees par les diverses tendances analysees dans les 
pages precedentes. II s'agit de ^augmentation exponentielle du nombre d'entites 
connectees, de la quantite des donnees traitees par ces entites dans I'ecosysteme 
numerique, et de la circulation accrue de ces memes donnees. Ces trois proprietes 
auront pour consequence de multiplier les points et les opportunites de compromission 
permettant d'attaquer les systemes et des donnees les plus sensibles, ce qui fragilisera 
I'equilibre de I'ecosysteme numerique sans la mise en oeuvre de strategies adaptees. 
Cette expansion et cette diversification de I'ecosysteme numerique devront done 
s'accompagner d'innovations institutionnelles et reglementaires qui viendront dans 
certains cas bousculer les pratiques et les juridictions etablies, et seront confrontees a 
des manifestations de resistance plus ou moins intransigeantes. 

Recommandation no. 3 : engager un exercice de consultation et de reflexion approfondi 
destine a formuler des propositions sur la restructuration des institutions 
gouvernementales existantes ou la creation de nouvelles institutions, afin d'adapter les 
capacites d'intervention et de coordination du gouvernement canadien a des besoins 
nouveaux. 

En effet, il faut rappeler que les concepteurs de I'internet n'ont jamais envisage que 
celui-ci serait un Jour amene a transmettre une telle quantite de donnees (Hourcade et 





















al., 2009 : iv), ni que ces donnees occuperaient une place aussi importante dans le 
fonctionnement des organisations et la vie quotidienne des individus. II en resulte que 
cheque nouvelle tendance identifiee dans ce rapport vient complexifier un ecosysteme 
numerique global deja confronte a des defis enormes en matiere de capacites 
techniques, de resilience et de securite. Toute technologie perturbatrice entratne en 
effet I'apparition dans I'ecosysteme numerique de nouveaux acteurs et la disparition 
des entreprises ou des technologies n'ayant pas reussi a s'adapter a cette evolution. 
Dans une perspective de cybersecurite, cette instabilite rend les efforts de coordination 
plus ardus, en introduisant constamment de nouveaux acteurs organisationnels, dont 
les capacites et la volonte de contribuer a la securite de tout I'ecosysteme sont difficiles 
a evaluer (et a mobiliser) pour leurs partenaires et les autorites regulatrices. 

La transformation de la notion de vie privee risque en particulier de generer un certain 
nombre de tensions entre les defenseurs du regime protecteur existant (du moins au 
Canada et en Europe), les organisations manifestant un appetit insatiable pour les 
donnees personnelles de leurs clients, usagers ou employes, et les autorites chargees de 
securiser I'ecosysteme numerique. Si Ton peut s'attendre a ce que les usagers 
continuent a valoriser la protection de la vie privee et a exiger que les organisations 
publiques et privees utilisent leurs informations personnelles avec discernement, il 
semble difficilement justifiable de s'appuyer sur des outils reglementaires imagines 
durant les annees 1970 et 1980 pour repondre aux besoins des annees 2020. L'evolution 
de la technologie doit s'accompagner d'une reflexion moins dogmatique et plus 
empirique sur les normes sociales emergentes en matiere de vie privee et sur les 
pratiques socialement acceptables et ethiquement responsables qui en decoulent. II 
n'est pas concevable que de grands groupes comme Facebook ou Google determinent 
unilateralement (et en fonction de leurs seuls interets commerciaux) quelles seront les 
limites de la vie privee en 2020, mais faire reposer la preservation de cette notion, 
centrale dans une societe de I'information, sur une architecture juridique heritee de 
I'ere industrielle est tout aussi insatisfaisant. Cela nous semble d'autant plus vrai que la 
convergence de I'informatique traditionnelle et de la bioinformatique, deja mise en 
lumiere avec les interfaces neuronales, va elargir les reflexions sur la vie privee et la 
cybersecurite aux domaines de la biologie et de la sante et poser des questions delicates 
en matiere d'ethique et de droits individuels. 

Recommendation no. 4 : intensifier les recherches empiriques sur les transformations 
des risques, des normes et des pratiques reliees a la protection de la vie privee dans 
I'ecosysteme numerique. 

Les implications soulevees dans ce rapport concernent principalement la cybersecurite, 
mais I'omnipresence dans notre vie quotidienne des outils numeriques constamment 
connectes, via I'internet mobile, I'internet des objets ou encore les paiements sans 
contact, ainsi que leur acces quasiment illimite a nos donnees personnelles, vont 
accelerer la convergence des problemes de cybersecurite avec les problemes de securite 
humaine ou physique 'classiques'. Une meilleure coordination des acteurs charges de la 
prevention et de I'application de la loi dans des spheres de securite tres differentes va 
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done s'imposer. La distinction actuelle entre securite humaine et cybersecurite pendant 
de son sens, les institutions de securite locales (principalement les services de police) 
qui ne seront pas capable d'evoluer et de redefinir leur mandat afin d'y integrer ces 
deux dimensions verront certainement leur legitimite remise en question par leurs 
administres. 

Recommendation no. 5 : accentuer les initiatives de coordination et de transferts de 
connaissances des autorites nationales et provinciales afin d'accelerer et de 
standardiser le developpement des capacites locales. 

Par ailleurs, meme si nous avons analyse ces neuf tendances selon une perspective de 
cybersecurite, il faut rappeler que I'ecosysteme numerique n'est pas seulement devenu 
indispensable au bon fonctionnement de I'economie (via I'integrite des transactions 
financieres par exemple), mais qu'il joue egalement un role determinant en ce qui 
concerne les efforts de recherche menes dans d'autres secteurs technologiques 
strategiques comme les biotechnologies, les nano-technologies, ou encore les materiaux 
intelligents (Newton et Pfieeger, 2006 : 188). A ce titre, la securite et la stabilite de 
I'ecosysteme numerique constituent Ijes conditions indispensables au maintien de la 
competitivite technologique et des capacites d'innovation du Canada. 

Cela explique pourquoi il sera imperatif de trouver le point d'equilibre entre, d'une part, 
le renforcement de la cybersecurite, et d'autre part, le maintien des capacites 
d'innovation technique et de la competitivite economique canadienne. Comme nous 
I'avons deja mentionne, la tendance a la militarisation de I'internet constitue selon nous 
un facteur de rupture de ce delicat equilibre. La theorie de la regulation progressive 
(responsive regulation) d'Ayres et Braithwaite (1992), qui imagine une gradation du 
niveau coercitif des mesures de controle en fonction de la severite des risques et du 
degre de cooperation des acteurs impliques, nous semble ici bien mieux adaptee a la 
recherche de cet equilibre. 

Nous n'avons aborde cette question pour aucune des neuf tendances, en raison de la 
nature prospective de ce rapport, mais on peut logiquement imaginer qu'en cas 
d'incapacite des gouvernements democratiques a proposer et a mettre en oeuvre des 
mecanismes de gouvernance et de controle satisfaisants de la cybersecurite, a I'echelle 
locale, nationale ou Internationale, la nature ouverte et distribuee des technologies 
decrites dans ce rapport, ainsi que leurs coCits d'acces relativement abordables, 
pourraient inciter des individus ou des collectifs d'hacktivistes a promouvoir des 
initiatives d'autodefense et de justice privee (vigilantism), ce qui augmenterait d'autant 
plus I'insecurite et I'anarchie regnant aux marges de I'ecosysteme numerique. 

Enfin, il serait contreproductif de ne prendre en consideration que les risques derives 
des tendances examinees dans ce rapport. Comme nous I'avons illustre dans le cas des 
interfaces neuronales directes ou de I'informatique quantique, certaines de ces 
technologies*^recelent egalement un fort potentiel en matiere d'amelioration de la 
securite des canadiens, et ces caracteristiques duales doivent etre pleinement integrees 
a toute planification en matiere de cybersecurite. 
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